H3 CSRF

Node.js CSRF protection middleware for H3.

This is a Node.js module available through the npm registry. Installation is done using the npm install command:

$ npm install @chmking/h3-csrf

The CSRF protection middleware is added to H3 as a priority to inject csrfToken() in the event:

import { createServer } from 'http'
import { createApp, eventHandler, toNodeListener } from 'h3'
import { csrf } from '@chmking/h3-csrf'

const app = createApp()
app.use(eventHandler(csrf({ cookie: { ... } })))

const server = createServer(toNodeListener(app))

In following layers, the token can be retrieved from the event:

handler(event: H3Event) => {
    const token = event.node.req.csrfToken()
}

Creates a middleware for token creation an validation. The middleare injects event.req.csrfToken() function to make a token which should be added to requests which mutate the state. This token it validated against the visitor's csrf cookie.

The csrf function takes an optional Options object that may contain the following keys:

A list of HTTP methods that will be verified by the CSRF middleware. Only the server endpoints corresponding to these methods will be verified.

Defaults:

['PATCH', 'POST', 'PUT', 'DELETE']

Cookie options define how the CSRF cookie gets serialized. This extends CookieSerializeOptions from cookie-es to include name for cookie customization.

Defaults:

{
    name: '_csrf',
    path: '/'
}

Distributed under the MIT License. See LICENSE for more information.