2.0.0 • Published 7 years ago
express-secure v2.0.0
express-secure
Keep your express application secure from CSRF attacks. It uses a combination of HTTP only JWT and a CSRF token stored in the session.
Used with express as middleware.
Example
var express = require('express');
var expresssecure = require('express-secure');
var app = express();
app.use(/* session */);
app.use(expresssecure({
secret: 'thisisasecret',
ignore: [
'/login'
],
error: function(req,res,next) {
res.send(JSON.stringify({
success: false,
reason: "Access Denied"
}));
res.end();
}
}));
/*
* Ignored route
*/
app.post('/login', function(req, res) {
/*
* Verify Login
*/
// Set the httpOnly cookie containing the JWT
res.setJwtCookie((err) {
req.getCsrfToken((err, csrf) {
// send back response including csrf
});
});
});
/*
* Secure routes
*/
app.post('/users', /* Get Users */);