the CSRF cookie name
Embed a token into a response *
your CSRF header name
Constructs a middleware that will check for the csrf token presence on both the proper cookie, and header values.
Constructs a middleware that will check for the csrf token presence on both the proper cookie, and header values.
If it is a valid token, it will then embed a new one, to effectively randomize the complete token while avoiding the generation of a new secure random Id, to guard against [BREACH](http://breachattack.com/)
Middleware to embed a csrf token into routes that do not have one.
Middleware to embed a csrf token into routes that do not have one. *
Middleware to avoid Cross-site request forgery attacks. More info on CSRF at: https://www.owasp.org/index.php/Cross-Site_Request_Forgery_(CSRF)
This middleware is modeled after the double submit cookie pattern: https://www.owasp.org/index.php/Cross-Site_Request_Forgery_(CSRF)_Prevention_Cheat_Sheet#DoubleSubmit_Cookie
When a user authenticates,
embedNew
is used to send a random CSRF value as a cookie. (Alterntively, an authenticating service can be wrapped inwithNewToken
). Services protected by thevalidaed
middleware then check that the value is prsent in both the headerheaderName
and the cookiecookieName
. Due to the Same-Origin policy, an attacker will be unable to reproduce this value in a custom header, resulting in a403 Forbidden
response.