Ecosyste.ms: Awesome

An open API service indexing awesome lists of open source software.

Awesome Lists | Featured Topics | Projects

https://github.com/koajs/stateless-csrf

CSRF without sessions.
https://github.com/koajs/stateless-csrf

Last synced: about 1 month ago
JSON representation

CSRF without sessions.

Host: GitHub
URL: https://github.com/koajs/stateless-csrf
Owner: koajs
Created: 2015-07-31T23:36:09.000Z (about 9 years ago)
Default Branch: master
Last Pushed: 2023-12-03T16:52:02.000Z (10 months ago)
Last Synced: 2024-04-14T13:08:40.719Z (5 months ago)
Language: JavaScript
Homepage:
Size: 8.79 KB
Stars: 15
Watchers: 8
Forks: 1
Open Issues: 1
Metadata Files:
- Readme: Readme.md
- Changelog: History.md

Awesome Lists containing this project

awesome-koa - stateless-csrf - CSRF without sessions. (Middleware)

README

        
# stateless-csrf

  CSRF without sessions.

## Installation

    npm install stateless-csrf

## How it works

  This CSRF protection hashes a user's unique cookie against a server-side secret.

  When the request comes in, the server hashes the cookie with the server-side

  secret and then compares it to the CSRF token. If it matches, verification is complete,

  otherwise the middleware rejects the request.

  This is a slight variation on the [double submit cookies](https://www.owasp.org/index.php/Cross-Site_Request_Forgery_(CSRF)_Prevention_Cheat_Sheet#Double_Submit_Cookies) using the advice

  mentioned in [this comment](http://discourse.codinghorror.com/t/preventing-csrf-and-xsrf-attacks/268/61) in [this blog post](http://blog.codinghorror.com/preventing-csrf-and-xsrf-attacks/).

## Usage

```js

var csrf = require('stateless-csrf')

app.use(csrf({

  secret: 'some server secret',

  cookie: 'name of the cookie to hash against'

}))

app.use(function * (next) {

  if ('GET' == this.method) {

    this.body = this.state.csrf

  } else if ('POST' == this.method) {

    this.body = 'protected area';

  }

})

```

## Test

```

npm install

make test

```

## Considerations

- **Add a salt**: not sure if this is necessary since the user token is already unique.

- **Add an expiration**: not sure this is necessary since the cookie has an expiration.

## Disclaimer

  I am not a security expert nor have I done a security audit on this code.

  Use this at your own risk, and if you can think of any ways to make this more secure, let me know!

## License

MIT

Copyright (c) 2015 Matthew Mueller <[email protected]>