Class/Object

org.http4s.server.middleware

CSRF

Related Docs: object CSRF | package middleware

Permalink

final class CSRF[F[_]] extends AnyRef

Middleware to avoid Cross-site request forgery attacks. More info on CSRF at: https://www.owasp.org/index.php/Cross-Site_Request_Forgery_(CSRF)

This middleware is modeled after the double submit cookie pattern: https://www.owasp.org/index.php/Cross-Site_Request_Forgery_(CSRF)_Prevention_Cheat_Sheet#Double_Submit_Cookie

When a user authenticates, embedNew is used to send a random CSRF value as a cookie. (Alternatively, an authenticating service can be wrapped in withNewToken).

By default, for requests that are unsafe (PUT, POST, DELETE, PATCH), services protected by the validated method in the middleware will check that the csrf token is present in both the header headerName and the cookie cookieName. Due to the Same-Origin policy, an attacker will be unable to reproduce this value in a custom header, resulting in a 401 Unauthorized response.

By default, requests with safe methods (such as GET, OPTIONS, HEAD) will have a new token embedded in them if there isn't one, or will receive a refreshed token based off of the previous token to mitigate the BREACH vulnerability. If a request contains an invalid token, regardless of whether it is a safe method, this middleware will fail it with 401 Unauthorized. In this situation, your user(s) should clear their cookies for your page, to receive a new token.

The default can be overridden by modifying the predicate in validate. It will, by default, check if the method is safe. Thus, you can provide some whitelisting capability for certain kinds of requests.

We'd like to emphasize that you please follow proper design principles in creating endpoints, as to not mutate in what should otherwise be idempotent methods (i.e no dropping your DB in a GET method, or altering user data). Please do not use the CSRF protection from this middleware as a safety net for bad design.

Linear Supertypes
AnyRef, Any
Ordering
  1. Alphabetic
  2. By Inheritance
Inherited
  1. CSRF
  2. AnyRef
  3. Any
  1. Hide All
  2. Show All
Visibility
  1. Public
  2. All

Value Members

  1. final def !=(arg0: Any): Boolean

    Permalink
    Definition Classes
    AnyRef → Any

  2. final def ##(): Int

    Permalink
    Definition Classes
    AnyRef → Any

  3. final def ==(arg0: Any): Boolean

    Permalink
    Definition Classes
    AnyRef → Any

  4. final def asInstanceOf[T0]: T0

    Permalink
    Definition Classes
    Any

  5. def clone(): AnyRef

    Permalink
    Attributes
    protected[java.lang]
    Definition Classes
    AnyRef
    Annotations
    @throws( ... )

  6. val cookieName: String

    Permalink

    the CSRF cookie name

  7. def embedNew(res: Response[F]): F[Response[F]]

    Permalink

    Embed a token into a response *

  8. final def eq(arg0: AnyRef): Boolean

    Permalink
    Definition Classes
    AnyRef

  9. def equals(arg0: Any): Boolean

    Permalink
    Definition Classes
    AnyRef → Any

  10. def finalize(): Unit

    Permalink
    Attributes
    protected[java.lang]
    Definition Classes
    AnyRef
    Annotations
    @throws( classOf[java.lang.Throwable] )

  11. final def getClass(): Class[_]

    Permalink
    Definition Classes
    AnyRef → Any

  12. def hashCode(): Int

    Permalink
    Definition Classes
    AnyRef → Any

  13. val headerName: String

    Permalink

    your CSRF header name

  14. final def isInstanceOf[T0]: Boolean

    Permalink
    Definition Classes
    Any

  15. final def ne(arg0: AnyRef): Boolean

    Permalink
    Definition Classes
    AnyRef

  16. final def notify(): Unit

    Permalink
    Definition Classes
    AnyRef

  17. final def notifyAll(): Unit

    Permalink
    Definition Classes
    AnyRef

  18. final def synchronized[T0](arg0: ⇒ T0): T0

    Permalink
    Definition Classes
    AnyRef

  19. def toString(): String

    Permalink
    Definition Classes
    AnyRef → Any

  20. def validate(predicate: (Request[F]) ⇒ Boolean = _.method.isSafe): HttpMiddleware[F]

    Permalink

    Constructs a middleware that will check for the csrf token presence on both the proper cookie, and header values, if the predicate is not satisfied

    Constructs a middleware that will check for the csrf token presence on both the proper cookie, and header values, if the predicate is not satisfied

    If it is a valid token, it will then embed a new one, to effectively randomize the complete token while avoiding the generation of a new secure random Id, to guard against [BREACH](http://breachattack.com/)

  21. final def wait(): Unit

    Permalink
    Definition Classes
    AnyRef
    Annotations
    @throws( ... )

  22. final def wait(arg0: Long, arg1: Int): Unit

    Permalink
    Definition Classes
    AnyRef
    Annotations
    @throws( ... )

  23. final def wait(arg0: Long): Unit

    Permalink
    Definition Classes
    AnyRef
    Annotations
    @throws( ... )

  24. def withNewToken: HttpMiddleware[F]

    Permalink

    Middleware to embed a csrf token into routes that do not have one.

    Middleware to embed a csrf token into routes that do not have one. *

Inherited from AnyRef

Inherited from Any

Ungrouped