csurf-noroutes v1.1.1
csurf with a ignoring routes ability
Node.js CSRF protection middleware fork based on the csurf module.
Requires either a session middleware or cookie-parser to be initialized first.
- If you are setting the "cookie" option to a non-
false
value, then you must use cookie-parser before this module. - Otherwise, you must use a session middleware before this module. For example:
If you have questions on how this module is implemented, please read Understanding CSRF.
Installation
$ npm install csurf-noroutes
API
var csurfNoRoutes = require('csurf-noroutes')
csurfNoRoutes(options)
Create a middleware for CSRF token creation and validation. This middleware
adds a req.csrfToken()
function to make a token which should be added to
requests which mutate state, within a hidden form field, query-string etc.
This token is validated against the visitor's session or csrf cookie.
Options
The csurf-noroutes
function takes an optional options
object that may contain
any of the csurf legacy keys.
A new option is available
ignoreRoutes
an array of routes that you want the module to ignore when looking up for a valid CSRF (typically routes used by the POST method). This parameter supports the use of regular expressions to define url patterns.
With Strings :
{ignoreRoutes:['/my/first/route','/mySecond/route','etc..']}
With a Regex :
{ignoreRoutes:[/\/remoteCalls\/(.*)/g]}
Both :
{ignoreRoutes:['/remoteCalls/login',/\/remoteCalls\/(.*)/g]}