server-csrf-check v1.0.0
server-csrf-check
Validate a client-side CSRF token + cookie on a server.
This package makes use of stateless CSRF by requiring every request to have both a cookie + HTTP header set on every request. The server then verifies they are the same which means they're from the right domain. This works because a page can only read / write cookies for its own domain and set the header.
It compares the X-CSRF-token
header value with the CSRF_token
value in the
cookie. Clients should set these values.
This is a first layer of defence that is vulnerable to XSS, but requires a relatively low cost to implement. To also prevent prevent XSS based CSRF consider using per request tokens.
This is also not a replacement for authentication tokens (OAuth or otherwise), this merely prevents tokens from being exploited by malicious agents.
Installation
$ npm install server-csrf-check
Usage
const csrfCheck = require('server-csrf-check')
const http = require('http')
http.createServer(function (req, res) {
if (!csrfCheck(req, res)) return res.end('CSRF detected')
res.end('all good')
}).listen()
API
bool = serverCsrfCheck(req, res)
Check an IncomingMessage
for the equality of an X-CSRF-token
header and
CSRF_token
on a cookie. Returns a boolean.
See Also
License
8 years ago