Nodejs make automatic csrf protection
up vote
0
down vote
favorite
Well i am building simple nodejs cms. My question is simple how can i make automatic CSRF protection? Because i think its dangerous and i can miss this protection in form or route. Is there any way how to automatize this proccess?
At this moment i am using this.
Routes.js
// CSRF
var csrfProtection = csrf({
cookie: true
})
var parseForm = bodyParser.urlencoded({
extended: false
})
// Register
router.get("/register", csrfProtection, shouldNotBeAuthenticated, function (req, res) {
res.render("../modules/users/views/register", {
title: 'Register',
csrfToken: req.csrfToken
});
});
router.post("/register", parseForm, csrfProtection, authController.user_reigster);
Form
<form method="post" action="/users/register">
<input type="hidden" name="_csrf" value="{{csrfToken}}">
package CSURF.
Thank for any advice.
javascript node.js forms csrf csrf-protection
asked Nov 15 at 19:24
Juraj Jakubov
7913
add a comment |
up vote
0
down vote
favorite
Well i am building simple nodejs cms. My question is simple how can i make automatic CSRF protection? Because i think its dangerous and i can miss this protection in form or route. Is there any way how to automatize this proccess?
At this moment i am using this.
Routes.js
// CSRF
var csrfProtection = csrf({
cookie: true
})
var parseForm = bodyParser.urlencoded({
extended: false
})
// Register
router.get("/register", csrfProtection, shouldNotBeAuthenticated, function (req, res) {
res.render("../modules/users/views/register", {
title: 'Register',
csrfToken: req.csrfToken
});
});
router.post("/register", parseForm, csrfProtection, authController.user_reigster);
Form
<form method="post" action="/users/register">
<input type="hidden" name="_csrf" value="{{csrfToken}}">
package CSURF.
Thank for any advice.
javascript node.js forms csrf csrf-protection
asked Nov 15 at 19:24
Juraj Jakubov
7913
add a comment |
up vote
0
down vote
favorite
up vote
0
down vote
favorite
Well i am building simple nodejs cms. My question is simple how can i make automatic CSRF protection? Because i think its dangerous and i can miss this protection in form or route. Is there any way how to automatize this proccess?
At this moment i am using this.
Routes.js
// CSRF
var csrfProtection = csrf({
cookie: true
})
var parseForm = bodyParser.urlencoded({
extended: false
})
// Register
router.get("/register", csrfProtection, shouldNotBeAuthenticated, function (req, res) {
res.render("../modules/users/views/register", {
title: 'Register',
csrfToken: req.csrfToken
});
});
router.post("/register", parseForm, csrfProtection, authController.user_reigster);
Form
<form method="post" action="/users/register">
<input type="hidden" name="_csrf" value="{{csrfToken}}">
package CSURF.
Thank for any advice.
javascript node.js forms csrf csrf-protection
asked Nov 15 at 19:24
Juraj Jakubov
7913
Well i am building simple nodejs cms. My question is simple how can i make automatic CSRF protection? Because i think its dangerous and i can miss this protection in form or route. Is there any way how to automatize this proccess?
At this moment i am using this.
Routes.js
// CSRF
var csrfProtection = csrf({
cookie: true
})
var parseForm = bodyParser.urlencoded({
extended: false
})
// Register
router.get("/register", csrfProtection, shouldNotBeAuthenticated, function (req, res) {
res.render("../modules/users/views/register", {
title: 'Register',
csrfToken: req.csrfToken
});
});
router.post("/register", parseForm, csrfProtection, authController.user_reigster);
Form
<form method="post" action="/users/register">
<input type="hidden" name="_csrf" value="{{csrfToken}}">
package CSURF.
Thank for any advice.
javascript node.js forms csrf csrf-protection
javascript node.js forms csrf csrf-protection
asked Nov 15 at 19:24
Juraj Jakubov
7913
asked Nov 15 at 19:24
Juraj Jakubov
7913
edited Nov 15 at 19:49
asked Nov 15 at 19:24
Juraj Jakubov
7913
asked Nov 15 at 19:24
Juraj Jakubov
7913
asked Nov 15 at 19:24
Juraj Jakubov
7913
7913
add a comment |
add a comment |
1 Answer
1
active
oldest
votes
up vote
1
down vote
accepted
I think that you are on the right track.
The middleware should be applied to ALL POST requests*. An example on the CSURF readme shows the way to do it (worth reading carefully):
// mount api before csrf is appended to the app stack
app.use('/api', api)
// now add csrf and other middlewares, after the "/api" was mounted
app.use(bodyParser.urlencoded({ extended: false }))
app.use(cookieParser())
app.use(csrf({ cookie: true }))
You should be using a templating language for the user interface. You should have either a template for forms or a filter that looks for forms which include the CSRF attributes in the form when rendering.
If you are making AJAX POSTs (XMLHttpRequest), that will also need to be thought through and is well covered on this site.
* if you have api routes, the should be grouped and excluded from CSRF.
answered Nov 16 at 6:11
Arthur Cinader
687414
Thanks successfully implemented :D yes sometimes is good to read documentation ...
– Juraj Jakubov
Nov 16 at 19:15
add a comment |
Your Answer
StackExchange.ifUsing("editor", function () {
StackExchange.using("externalEditor", function () {
StackExchange.using("snippets", function () {
StackExchange.snippets.init();
});
});
}, "code-snippets");
StackExchange.ready(function() {
var channelOptions = {
tags: "".split(" "),
id: "1"
};
initTagRenderer("".split(" "), "".split(" "), channelOptions);
StackExchange.using("externalEditor", function() {
// Have to fire editor after snippets, if snippets enabled
if (StackExchange.settings.snippets.snippetsEnabled) {
StackExchange.using("snippets", function() {
createEditor();
});
}
else {
createEditor();
}
});
function createEditor() {
StackExchange.prepareEditor({
heartbeatType: 'answer',
convertImagesToLinks: true,
noModals: true,
showLowRepImageUploadWarning: true,
reputationToPostImages: 10,
bindNavPrevention: true,
postfix: "",
imageUploader: {
brandingHtml: "Powered by u003ca class="icon-imgur-white" href="https://imgur.com/"u003eu003c/au003e",
contentPolicyHtml: "User contributions licensed under u003ca href="https://creativecommons.org/licenses/by-sa/3.0/"u003ecc by-sa 3.0 with attribution requiredu003c/au003e u003ca href="https://stackoverflow.com/legal/content-policy"u003e(content policy)u003c/au003e",
allowUrls: true
},
onDemand: true,
discardSelector: ".discard-answer"
,immediatelyShowMarkdownHelp:true
});
}
});
Sign up or log in
StackExchange.ready(function () {
StackExchange.helpers.onClickDraftSave('#login-link');
});
Sign up using Google
Sign up using Facebook
Sign up using Email and Password
Post as a guest
Required, but never shown
StackExchange.ready(
function () {
StackExchange.openid.initPostLogin('.new-post-login', 'https%3a%2f%2fstackoverflow.com%2fquestions%2f53326603%2fnodejs-make-automatic-csrf-protection%23new-answer', 'question_page');
}
);
Post as a guest
Required, but never shown
1 Answer
1
active
oldest
votes
1 Answer
1
active
oldest
votes
active
oldest
votes
active
oldest
votes
up vote
1
down vote
accepted
I think that you are on the right track.
The middleware should be applied to ALL POST requests*. An example on the CSURF readme shows the way to do it (worth reading carefully):
// mount api before csrf is appended to the app stack
app.use('/api', api)
// now add csrf and other middlewares, after the "/api" was mounted
app.use(bodyParser.urlencoded({ extended: false }))
app.use(cookieParser())
app.use(csrf({ cookie: true }))
You should be using a templating language for the user interface. You should have either a template for forms or a filter that looks for forms which include the CSRF attributes in the form when rendering.
If you are making AJAX POSTs (XMLHttpRequest), that will also need to be thought through and is well covered on this site.
* if you have api routes, the should be grouped and excluded from CSRF.
answered Nov 16 at 6:11
Arthur Cinader
687414
Thanks successfully implemented :D yes sometimes is good to read documentation ...
– Juraj Jakubov
Nov 16 at 19:15
add a comment |
up vote
1
down vote
accepted
I think that you are on the right track.
The middleware should be applied to ALL POST requests*. An example on the CSURF readme shows the way to do it (worth reading carefully):
// mount api before csrf is appended to the app stack
app.use('/api', api)
// now add csrf and other middlewares, after the "/api" was mounted
app.use(bodyParser.urlencoded({ extended: false }))
app.use(cookieParser())
app.use(csrf({ cookie: true }))
You should be using a templating language for the user interface. You should have either a template for forms or a filter that looks for forms which include the CSRF attributes in the form when rendering.
If you are making AJAX POSTs (XMLHttpRequest), that will also need to be thought through and is well covered on this site.
* if you have api routes, the should be grouped and excluded from CSRF.
answered Nov 16 at 6:11
Arthur Cinader
687414
Thanks successfully implemented :D yes sometimes is good to read documentation ...
– Juraj Jakubov
Nov 16 at 19:15
add a comment |
up vote
1
down vote
accepted
up vote
1
down vote
accepted
I think that you are on the right track.
The middleware should be applied to ALL POST requests*. An example on the CSURF readme shows the way to do it (worth reading carefully):
// mount api before csrf is appended to the app stack
app.use('/api', api)
// now add csrf and other middlewares, after the "/api" was mounted
app.use(bodyParser.urlencoded({ extended: false }))
app.use(cookieParser())
app.use(csrf({ cookie: true }))
You should be using a templating language for the user interface. You should have either a template for forms or a filter that looks for forms which include the CSRF attributes in the form when rendering.
If you are making AJAX POSTs (XMLHttpRequest), that will also need to be thought through and is well covered on this site.
* if you have api routes, the should be grouped and excluded from CSRF.
answered Nov 16 at 6:11
Arthur Cinader
687414
I think that you are on the right track.
The middleware should be applied to ALL POST requests*. An example on the CSURF readme shows the way to do it (worth reading carefully):
// mount api before csrf is appended to the app stack
app.use('/api', api)
// now add csrf and other middlewares, after the "/api" was mounted
app.use(bodyParser.urlencoded({ extended: false }))
app.use(cookieParser())
app.use(csrf({ cookie: true }))
You should be using a templating language for the user interface. You should have either a template for forms or a filter that looks for forms which include the CSRF attributes in the form when rendering.
If you are making AJAX POSTs (XMLHttpRequest), that will also need to be thought through and is well covered on this site.
* if you have api routes, the should be grouped and excluded from CSRF.
answered Nov 16 at 6:11
Arthur Cinader
687414
answered Nov 16 at 6:11
Arthur Cinader
687414
answered Nov 16 at 6:11
Arthur Cinader
687414
answered Nov 16 at 6:11
Arthur Cinader
687414
687414
Thanks successfully implemented :D yes sometimes is good to read documentation ...
– Juraj Jakubov
Nov 16 at 19:15
add a comment |
Thanks successfully implemented :D yes sometimes is good to read documentation ...
– Juraj Jakubov
Nov 16 at 19:15
Thanks successfully implemented :D yes sometimes is good to read documentation ...
– Juraj Jakubov
Nov 16 at 19:15
Thanks successfully implemented :D yes sometimes is good to read documentation ...
– Juraj Jakubov
Nov 16 at 19:15
add a comment |
Thanks for contributing an answer to Stack Overflow!
- Please be sure to answer the question. Provide details and share your research!
But avoid …
- Asking for help, clarification, or responding to other answers.
- Making statements based on opinion; back them up with references or personal experience.
To learn more, see our tips on writing great answers.
Some of your past answers have not been well-received, and you're in danger of being blocked from answering.
Please pay close attention to the following guidance:
- Please be sure to answer the question. Provide details and share your research!
But avoid …
- Asking for help, clarification, or responding to other answers.
- Making statements based on opinion; back them up with references or personal experience.
To learn more, see our tips on writing great answers.
Sign up or log in
StackExchange.ready(function () {
StackExchange.helpers.onClickDraftSave('#login-link');
});
Sign up using Google
Sign up using Facebook
Sign up using Email and Password
Post as a guest
Required, but never shown
StackExchange.ready(
function () {
StackExchange.openid.initPostLogin('.new-post-login', 'https%3a%2f%2fstackoverflow.com%2fquestions%2f53326603%2fnodejs-make-automatic-csrf-protection%23new-answer', 'question_page');
}
);
Post as a guest
Required, but never shown
Sign up or log in
StackExchange.ready(function () {
StackExchange.helpers.onClickDraftSave('#login-link');
});
Sign up using Google
Sign up using Facebook
Sign up using Email and Password
Post as a guest
Required, but never shown
Sign up or log in
StackExchange.ready(function () {
StackExchange.helpers.onClickDraftSave('#login-link');
});
Sign up using Google
Sign up using Facebook
Sign up using Email and Password
Post as a guest
Required, but never shown
Sign up or log in
StackExchange.ready(function () {
StackExchange.helpers.onClickDraftSave('#login-link');
});
Sign up using Google
Sign up using Facebook
Sign up using Email and Password
Sign up using Google
Sign up using Facebook
Sign up using Email and Password
Post as a guest
Required, but never shown
Required, but never shown
Required, but never shown
Required, but never shown
Required, but never shown
Required, but never shown
Required, but never shown
Required, but never shown
Required, but never shown
