Node.js CSRF protection middleware for H3.
This is a Node.js module available through the
npm registry. Installation is done using the
npm install
command:
$ npm install @chmking/h3-csrf
The CSRF protection middleware is added to H3 as a priority to inject csrfToken()
in the event
:
import { createServer } from 'http'
import { createApp, eventHandler, toNodeListener } from 'h3'
import { csrf } from '@chmking/h3-csrf'
const app = createApp()
app.use(eventHandler(csrf({ cookie: { ... } })))
const server = createServer(toNodeListener(app))
In following layers, the token can be retrieved from the event
:
handler(event: H3Event) => {
const token = event.node.req.csrfToken()
}
Creates a middleware for token creation an validation. The middleare injects event.req.csrfToken()
function to make a token which should be added to requests which mutate the state. This token it validated against the visitor's csrf cookie.
The csrf
function takes an optional Options
object that may contain the following keys:
A list of HTTP methods that will be verified by the CSRF middleware. Only the server endpoints corresponding to these methods will be verified.
Defaults:
['PATCH', 'POST', 'PUT', 'DELETE']
Cookie options define how the CSRF cookie gets serialized. This extends CookieSerializeOptions
from cookie-es
to include name
for cookie customization.
Defaults:
{
name: '_csrf',
path: '/'
}
Distributed under the MIT License. See LICENSE for more information.