hmac-csrf

0.1.1 • Public • Published

hmac-csrf

Express middleware

sessionless csrf with

  • HTTP Origin check for modern browsers.

  • Fall back to hmac token

  • Token generated based on the session cookie. Works with hmac signed cookies with a stateless server.

  • ability to exclude routes from the CSRF path.

  • Compatible with templates

    var HmacCsrf = require('hmac-csrf')

    var options = { 'secret': '123456', 'validityDelay': 86400, // the delay after which a CSRF token expires 'sessionCookie': 'connect.sid' // the cookie used in the HMAC generation 'algorithm': 'sha256', // the HMAC algorithm 'origin': null, // If the HTTP origin header should be used for CSRF protection, put it here 'templateAttr': 'locals', // the '_csrf' token will be set on res[templateAttr] 'ignore': [ // do not run CSRF validation for these paths '/foo/bar' ], 'keys': { 'query': '_csrf', 'body': '_csrf', 'header': 'x-csrf-token' } }

    app.use(HmacCsrf(options))

Package Sidebar

Install

npm i hmac-csrf

Weekly Downloads

1

Version

0.1.1

License

Public Domain

Last publish

Collaborators

  • nherment