1.0.1 • Published 8 years ago

bluegate-csrf v1.0.1

Weekly downloads
3
License
MIT
Repository
github
Last release
8 years ago

BlueGate CSRF

Build Status Coverage Status Dependency Status Known Vulnerabilities

Add CSRF protection to forms and links. This module requires writing routes using ES6 classes with the BlueGate class module and requires sessions using BlueGate session.

This module can protect forms and links against CSRF-attacks. See the OWASP site for more information about CSRF.

Installation

Install using npm install bluegate-csrf bluegate-class bluegate-session

Quick example

Load the module in the main application file.

var BlueGate = require('bluegate');
var app = new BlueGate();
app.listen(8080);

require('bluegate-class')(app);
require('bluegate-session')(app);
require('bluegate-csrf')(app);

Add a hidden element named csrfToken with the token retrieved from the function paramaters.

/**
 * @Route("GET /form")
 */
module.exports = class FormRoute {
  process(csrfToken) {
    return '<html>'
      + '<form action="/form">'
      + '<input type="hidden" name="csrfToken" value="' + csrfToken + '" />'
      + '<input type="submit" />'
      + '</form>'
      + '</html>';
  }
}

And add the Csrf-annotation in the POST route:

/**
 * @Route("POST /form")
 * @Post("name", type="string")
 * @Csrf(true)
 */
class FormPostRoute {
  process(name) {
    return {
      name
    };
  }
}

The form is now protected against CSRF-attacks when the user has a session. An error is thrown in the prevalidation hook when the token is missing or invalid.

Protection of links

You should consider CSRF protection for links that can perform harmful actions.

/**
 * @Route("GET /link")
 */
class LinkRoute {
  process(csrfToken) {
    return `<a href="/link/action/${csrfToken}">do something</a>`;
  }
}

The route for the linked page needs to have the Csrf-annotation and must map the path part with the name "csrfToken".

/**
 * @Route("GET /link/action/<csrfToken:string>")
 * @Csrf(true)
 */
class LinkActionRoute {
  process() {
    return {};
  }
}

Security considerations

The protection is only active for users with a session (i.e. authenticated users). Visitors without a session are not protected for performance reasons, because that will conflict with any form of page caching. It is however highly unlikely that anonymous requests involve state changing actions and thus require CSRF protection.

The CSRF-token is based on the session id, but does not include the whole session id to avoid leaking it.

Using GET requests for state changing requests is discouraged when using sensitive data, even when adding CSRF protection. This is because disclosure of tokens is more likely for GET requests.

bluegatecsrfsecurity
bluebirdlodash
@everything-registry/sub-chunk-1247
1.0.1

8 years ago

1.0.0

8 years ago