@chmking/h3-csrf NPM

H3 CSRF

Node.js CSRF protection middleware for H3.

Installation

This is a Node.js module available through the npm registry. Installation is done using the npm install command:

$ npm install @chmking/h3-csrf

Usage

The CSRF protection middleware is added to H3 as a priority to inject csrfToken() in the event:

import { createServer } from 'http'
import { createApp, eventHandler, toNodeListener } from 'h3'
import { csrf } from '@chmking/h3-csrf'

const app = createApp()
app.use(eventHandler(csrf({ cookie: { ... } })))

const server = createServer(toNodeListener(app))

In following layers, the token can be retrieved from the event:

handler(event: H3Event) => {
    const token = event.node.req.csrfToken()
}

csrf(options)

Creates a middleware for token creation an validation. The middleare injects event.req.csrfToken() function to make a token which should be added to requests which mutate the state. This token it validated against the visitor's csrf cookie.

Options

The csrf function takes an optional Options object that may contain the following keys:

verifiedMehtods?: Array\<HTTPMethod>

A list of HTTP methods that will be verified by the CSRF middleware. Only the server endpoints corresponding to these methods will be verified.

Defaults:

['PATCH', 'POST', 'PUT', 'DELETE']

cookie?: CookieOptions

Cookie options define how the CSRF cookie gets serialized. This extends CookieSerializeOptions from cookie-es to include name for cookie customization.

Defaults: