Ecosyste.ms: Awesome
An open API service indexing awesome lists of open source software.
https://github.com/tinyhttp/malibu
🏄 Framework-agnostic CSRF middleware for modern Node.js
https://github.com/tinyhttp/malibu
csrf esm http middleware nodejs security session tinyhttp
Last synced: 3 months ago
JSON representation
🏄 Framework-agnostic CSRF middleware for modern Node.js
- Host: GitHub
- URL: https://github.com/tinyhttp/malibu
- Owner: tinyhttp
- License: mit
- Created: 2021-06-17T12:20:25.000Z (over 3 years ago)
- Default Branch: master
- Last Pushed: 2023-11-05T09:07:19.000Z (12 months ago)
- Last Synced: 2024-07-06T23:23:16.267Z (4 months ago)
- Topics: csrf, esm, http, middleware, nodejs, security, session, tinyhttp
- Language: TypeScript
- Homepage: https://tinyhttp.v1rtl.site/mw/malibu
- Size: 223 KB
- Stars: 124
- Watchers: 4
- Forks: 4
- Open Issues: 0
-
Metadata Files:
- Readme: README.md
- Contributing: CONTRIBUTING.md
- Funding: .github/FUNDING.yml
- License: LICENSE
Awesome Lists containing this project
- awesome-indo-projects - Malibu - Framework-agnostic CSRF middleware, for Express, vanilla HTTP, Tinyhttp, Polka, and more!. (JavaScript)
- awesome-made-by-indonesian - Malibu - `Framework-agnostic CSRF middleware for modern Node.js` *by [tinyhttp](https://github.com/tinyhttp)* (M)
- awesome-node-esm - malibu - framework-agnostic CSRF middleware for modern Node.js (Packages / Middleware)
- made-in-indonesia - Malibu - `Framework-agnostic CSRF middleware for modern Node.js` *by [tinyhttp](https://github.com/tinyhttp)* (M)
- awesome-indonesia-repo - Malibu - Framework-agnostic CSRF middleware, for Express, vanilla HTTP, Tinyhttp, Polka, and more! (JavaScript)
README
[](https://npmjs.com/package/malibu) [](https://npmjs.com/package/malibu) [](https://github.com/tinyhttp/malibu/actions) [](https://coveralls.io/github/tinyhttp/malibu) [](https://www.codefactor.io/repository/github/tinyhttp/malibu)
This middleware helps web developers fight [CSRF](https://en.wikipedia.org/wiki/Cross-site_request_forgery) attacks. Bear in mind, by solely using this middleware, we can't guarantee your app will be free from CSRF attacks. Refer to [CSRF Prevention Cheat Sheet](https://cheatsheetseries.owasp.org/cheatsheets/Cross-Site_Request_Forgery_Prevention_Cheat_Sheet.html) and [pillarjs/understanding-csrf](https://github.com/pillarjs/understanding-csrf) for more details.
* ⚡ Framework agnostic (works with Express, Tinyhttp, Polka, and more!)
* ✨ Native ESM (No CommonJS support)
* 🛠 Typescript typings out of the box
* 🚀 No legacy dependencies
## Install
```
pnpm i malibu
```
## Usage
Like all CSRF plugins, it depends on either Cookie Parser or Session middleware.
```js
import { App } from '@tinyhttp/app'
import { cookieParser } from '@tinyhttp/cookie-parser'
import { csrf } from 'malibu'
const app = new App()
const csrfProtection = csrf()
app.use(cookieParser())
// this lets you acquire CSRF token on response body
// you also have CSRF token on your cookies as _csrf
app.get('/', csrfProtection, (req, res) => {
res.status(200).json({ token: req.csrfToken() })
})
// you may only access this if you give a previously acquired CSRF token
app.post('/', csrfProtection, (req, res) => {
res.status(200).json({ message: 'hello' })
})
```
For signed cookies:
```js
const app = new App()
const csrfProtection = csrf({ cookie: { signed: true } })
app.use(cookieParser('secret key'))
// this lets you acquire CSRF token on the response body
// you also have a CSRF token on your cookies as _csrf
app.get('/', csrfProtection, (req, res) => {
res.status(200).json({ token: req.csrfToken() })
})
// you may only access this if you give a previously acquired CSRF token
app.post('/', csrfProtection, (req, res) => {
res.status(200).json({ message: 'hello' })
})
```
With [express-session](https://github.com/expressjs/session):
```js
import { App } from '@tinyhttp/app'
import session from 'express-session'
import { csrf } from 'malibu'
const app = new App()
const csrfProtection = csrf({ middleware: 'session' })
app.use(session({ secret: 'secret key', resave: false, saveUninitialized: false }))
// this lets you acquire CSRF token on response body
app.get('/', csrfProtection, (req, res) => {
res.status(200).json({ token: req.csrfToken() })
})
// you may only access this if you give a previously acquired CSRF token
app.post('/', csrfProtection, (req, res) => {
res.status(200).json({ message: 'hello' })
})
```
For detailed example, please refer to [examples](https://github.com/tinyhttp/tinyhttp/tree/master/examples/csrf)
## Options
| Name | Type | Default | Description |
| ------------ | ----------------------- | ------------------------------------------------------------------------------------------------------------------------------------------------- | ---------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------- |
| middleware | `string` | `cookie` | Specifies which middleware to look for. Available options are `cookie` and `session` |
| cookie | `CookieOptions` | `{ signed: false, key: '_csrf', path: '/' }` | `signed` specifies whether the cookie is signed or unsigned, `key` specifies to the cookie key, `path` specifies the domain of the cookie. For other options please refer to [@tinyhttp/cookie serializer options](https://github.com/tinyhttp/tinyhttp/tree/master/packages/cookie#options-1) |
| sessionKey | `string` | `session` | Specifies session key name |
| value | `(req: Request) => any` | `req.body._csrf, req.query._csrf, req.headers["csrf-token"], req.headers["xsrf-token"], req.headers["x-csrf-token"], req.headers["x-xsrf-token"]` | Specifies where to look for the CSRF token |
| ignoreMethod | `Array` | `["GET", "HEAD", "OPTIONS"]` | Specifies the HTTP Method in which CSRF protection will be disabled |
| saltLength | `number` | `8` | Specifies the salt length for CSRF token |
| secretLength | `number` | `18` | Specifies the secret length for CSRF Token |
## Why "malibu"?
It's one variation of a longboard used in surfing. It's a 60's style longboard, made with heavy glass, long parallel 50/50 rails, and a deep single fin. Made especially for trimming, (walking the board) and for noseriding. Not to mention, it looks cool.