How to use Express JS 4.0's csurf? How to use Express JS 4.0's csurf? express express

How to use Express JS 4.0's csurf?


javascript express csrf csrf-protection

The csurf middleware is designed to reject requests that contain a payload (body parameters, for example) if it doesn't have a valid token. Here's how you would use it:

app.use(require('body-parser')());app.use(require('cookie-parser')('YOUR SECRET GOES HERE'));app.use(require('express-session')());app.use(require('csurf')());app.get('/some-form', function(req, res){    res.send('<form action="/process" method="POST">' +        '<input type="hidden" name="_csrf" value="' + req.csrfToken() + '">' +        'Favorite color: <input type="text" name="favoriteColor">' +        '<button type="submit">Submit</button>' +        '</form>');});app.post('/process', function(req, res){    res.send('<p>Your favorite color is "' + req.body.favoriteColor + '".');});

Try taking out the req.csrfToken() (or replacing it with something else); you will find that the form no longer works.

Note that you need sessions for csurf to work. If you want understand the reasons you would use csurf, see the Wikipedia article on cross-site request forgery (CSRF).

Recent Posts
How can I color dots in a xy scatterplot according to column value?
How to update a claim in ASP.NET Identity?
What does {0} mean when initializing an object?
Accessing members of items in a JSONArray with Java
How to log SQL statements in Spring Boot?
Powershell Get-WebSite name parameter is ignored
How to detect scroll to bottom of html element
Java synchronized method
How to test controllers with CodeIgniter?
Detect Visual Composer
Matplotlib: Specify format of floats for tick labels
Rails join a list of strings with commas and "and" before the last