CSRF without sessions.
npm install stateless-csrf
This CSRF protection hashes a user's unique cookie against a server-side secret.
When the request comes in, the server hashes the cookie with the server-side secret and then compares it to the CSRF token. If it matches, verification is complete, otherwise the middleware rejects the request.
This is a slight variation on the double submit cookies using the advice mentioned in this comment in this blog post.
var csrf = require('stateless-csrf')
app.use(csrf({
secret: 'some server secret',
cookie: 'name of the cookie to hash against'
}))
app.use(function * (next) {
if ('GET' == this.method) {
this.body = this.state.csrf
} else if ('POST' == this.method) {
this.body = 'protected area';
}
})
npm install
make test
- Add a salt: not sure if this is necessary since the user token is already unique.
- Add an expiration: not sure this is necessary since the cookie has an expiration.
I am not a security expert nor have I done a security audit on this code.
Use this at your own risk, and if you can think of any ways to make this more secure, let me know!
MIT
Copyright (c) 2015 Matthew Mueller <mattmuelle@gmail.com>