primary logic behind csrf tokens
A utility package to help implement stateless CSRF protection using the Double Submit Cookie Pattern in express.
Simple pub/sub messaging for the web
A utility package to help implement stateful CSRF protection using the Synchroniser Token Pattern in express.
primary logic behind csrf tokens
A plugin for adding CSRF protection to Fastify.
A message bus client in Javascript
generate random IDs and avoid collisions
LiveReload JS client - auto reload browser on changes
TypeScript definitions for koa-csrf
TypeScript definitions for hat
Nuxt Cross-Site Request Forgery (CSRF) Prevention
CSRF mitigation library for Next.js
Framework-agnostic CSRF protection core functionality
CSRF protection middleware for Next.js applications
An input element that validates its value with a server endpoint.
A fork of csurf with ongoing maintenance from the Sails core team
Convert form parameters to an object using the same logic as Rack
CSRF crumb generation and validation plugin
Tiny CSRF library for use with ExpressJS
primary logic behind csrf tokens
It is a lightweight rest client for node.js and the browser
CSRF core package used alone or useful to create other packages
RFC6265 Cookies and Cookie Jar for node.js
Anti-CSRF Rack middleware
This middleware helps you identify when a GET request results in an application state-change
Rack middleware for CSRF without token
A simpler CSRF middleware for Rack.
Anti-CSRF Rack middleware
The middleware makes sure any request to specified paths would have been preflighted if it was sent by a browser. We don't want random websites to be able to execute actual GraphQL operations from a user's browser unless our CORS policy supports it. It's not good enough just to ensure that the browser can't read the response from the operation; we also want to prevent CSRF, where the attacker can cause side effects with an operation or can measure the timing of a read operation. Our goal is to ensure that we don't run the context function or execute the GraphQL operation until the browser has evaluated the CORS policy, which means we want all operations to be pre-flighted. We can do that by only processing operations that have at least one header set that appears to be manually set by the JS code rather than by the browser automatically. POST requests generally have a content-type `application/json`, which is sufficient to trigger preflighting. So we take extra care with requests that specify no content-type or that specify one of the three non-preflighted content types. For those operations, we require one of a set of specific headers to be set. By ensuring that every operation either has a custom content-type or sets one of these headers, we know we won't execute operations at the request of origins who our CORS policy will block.
This middleware builds on top of rack-cors, using CORS rules to mitigate CSRF-attacks.
Rack Middleware that produces the same ETag for responses that only differ in CSRF tokens or CSP nonce
A Rack middleware for preventing CSRF attacks using the Sec-Fetch-Site header
roda-rails offers integration for Roda when used as Rack middleware in a Rails application. It allows the Roda middleware to use Rails flash handling as well as Rails' CSRF support.