Nodejs make automatic csrf protection











up vote
0
down vote

favorite












Well i am building simple nodejs cms. My question is simple how can i make automatic CSRF protection? Because i think its dangerous and i can miss this protection in form or route. Is there any way how to automatize this proccess?



At this moment i am using this.



Routes.js



// CSRF
var csrfProtection = csrf({
cookie: true
})
var parseForm = bodyParser.urlencoded({
extended: false
})

// Register
router.get("/register", csrfProtection, shouldNotBeAuthenticated, function (req, res) {
res.render("../modules/users/views/register", {
title: 'Register',
csrfToken: req.csrfToken
});
});

router.post("/register", parseForm, csrfProtection, authController.user_reigster);


Form



<form method="post" action="/users/register">
<input type="hidden" name="_csrf" value="{{csrfToken}}">


package CSURF.



Thank for any advice.










share|improve this question




























    up vote
    0
    down vote

    favorite












    Well i am building simple nodejs cms. My question is simple how can i make automatic CSRF protection? Because i think its dangerous and i can miss this protection in form or route. Is there any way how to automatize this proccess?



    At this moment i am using this.



    Routes.js



    // CSRF
    var csrfProtection = csrf({
    cookie: true
    })
    var parseForm = bodyParser.urlencoded({
    extended: false
    })

    // Register
    router.get("/register", csrfProtection, shouldNotBeAuthenticated, function (req, res) {
    res.render("../modules/users/views/register", {
    title: 'Register',
    csrfToken: req.csrfToken
    });
    });

    router.post("/register", parseForm, csrfProtection, authController.user_reigster);


    Form



    <form method="post" action="/users/register">
    <input type="hidden" name="_csrf" value="{{csrfToken}}">


    package CSURF.



    Thank for any advice.










    share|improve this question


























      up vote
      0
      down vote

      favorite









      up vote
      0
      down vote

      favorite











      Well i am building simple nodejs cms. My question is simple how can i make automatic CSRF protection? Because i think its dangerous and i can miss this protection in form or route. Is there any way how to automatize this proccess?



      At this moment i am using this.



      Routes.js



      // CSRF
      var csrfProtection = csrf({
      cookie: true
      })
      var parseForm = bodyParser.urlencoded({
      extended: false
      })

      // Register
      router.get("/register", csrfProtection, shouldNotBeAuthenticated, function (req, res) {
      res.render("../modules/users/views/register", {
      title: 'Register',
      csrfToken: req.csrfToken
      });
      });

      router.post("/register", parseForm, csrfProtection, authController.user_reigster);


      Form



      <form method="post" action="/users/register">
      <input type="hidden" name="_csrf" value="{{csrfToken}}">


      package CSURF.



      Thank for any advice.










      share|improve this question















      Well i am building simple nodejs cms. My question is simple how can i make automatic CSRF protection? Because i think its dangerous and i can miss this protection in form or route. Is there any way how to automatize this proccess?



      At this moment i am using this.



      Routes.js



      // CSRF
      var csrfProtection = csrf({
      cookie: true
      })
      var parseForm = bodyParser.urlencoded({
      extended: false
      })

      // Register
      router.get("/register", csrfProtection, shouldNotBeAuthenticated, function (req, res) {
      res.render("../modules/users/views/register", {
      title: 'Register',
      csrfToken: req.csrfToken
      });
      });

      router.post("/register", parseForm, csrfProtection, authController.user_reigster);


      Form



      <form method="post" action="/users/register">
      <input type="hidden" name="_csrf" value="{{csrfToken}}">


      package CSURF.



      Thank for any advice.







      javascript node.js forms csrf csrf-protection






      share|improve this question















      share|improve this question













      share|improve this question




      share|improve this question








      edited Nov 15 at 19:49

























      asked Nov 15 at 19:24









      Juraj Jakubov

      7913




      7913
























          1 Answer
          1






          active

          oldest

          votes

















          up vote
          1
          down vote



          accepted










          I think that you are on the right track.



          The middleware should be applied to ALL POST requests*. An example on the CSURF readme shows the way to do it (worth reading carefully):



          // mount api before csrf is appended to the app stack
          app.use('/api', api)

          // now add csrf and other middlewares, after the "/api" was mounted
          app.use(bodyParser.urlencoded({ extended: false }))
          app.use(cookieParser())
          app.use(csrf({ cookie: true }))


          You should be using a templating language for the user interface. You should have either a template for forms or a filter that looks for forms which include the CSRF attributes in the form when rendering.



          If you are making AJAX POSTs (XMLHttpRequest), that will also need to be thought through and is well covered on this site.



          * if you have api routes, the should be grouped and excluded from CSRF.






          share|improve this answer





















          • Thanks successfully implemented :D yes sometimes is good to read documentation ...
            – Juraj Jakubov
            Nov 16 at 19:15











          Your Answer






          StackExchange.ifUsing("editor", function () {
          StackExchange.using("externalEditor", function () {
          StackExchange.using("snippets", function () {
          StackExchange.snippets.init();
          });
          });
          }, "code-snippets");

          StackExchange.ready(function() {
          var channelOptions = {
          tags: "".split(" "),
          id: "1"
          };
          initTagRenderer("".split(" "), "".split(" "), channelOptions);

          StackExchange.using("externalEditor", function() {
          // Have to fire editor after snippets, if snippets enabled
          if (StackExchange.settings.snippets.snippetsEnabled) {
          StackExchange.using("snippets", function() {
          createEditor();
          });
          }
          else {
          createEditor();
          }
          });

          function createEditor() {
          StackExchange.prepareEditor({
          heartbeatType: 'answer',
          convertImagesToLinks: true,
          noModals: true,
          showLowRepImageUploadWarning: true,
          reputationToPostImages: 10,
          bindNavPrevention: true,
          postfix: "",
          imageUploader: {
          brandingHtml: "Powered by u003ca class="icon-imgur-white" href="https://imgur.com/"u003eu003c/au003e",
          contentPolicyHtml: "User contributions licensed under u003ca href="https://creativecommons.org/licenses/by-sa/3.0/"u003ecc by-sa 3.0 with attribution requiredu003c/au003e u003ca href="https://stackoverflow.com/legal/content-policy"u003e(content policy)u003c/au003e",
          allowUrls: true
          },
          onDemand: true,
          discardSelector: ".discard-answer"
          ,immediatelyShowMarkdownHelp:true
          });


          }
          });














          draft saved

          draft discarded


















          StackExchange.ready(
          function () {
          StackExchange.openid.initPostLogin('.new-post-login', 'https%3a%2f%2fstackoverflow.com%2fquestions%2f53326603%2fnodejs-make-automatic-csrf-protection%23new-answer', 'question_page');
          }
          );

          Post as a guest















          Required, but never shown

























          1 Answer
          1






          active

          oldest

          votes








          1 Answer
          1






          active

          oldest

          votes









          active

          oldest

          votes






          active

          oldest

          votes








          up vote
          1
          down vote



          accepted










          I think that you are on the right track.



          The middleware should be applied to ALL POST requests*. An example on the CSURF readme shows the way to do it (worth reading carefully):



          // mount api before csrf is appended to the app stack
          app.use('/api', api)

          // now add csrf and other middlewares, after the "/api" was mounted
          app.use(bodyParser.urlencoded({ extended: false }))
          app.use(cookieParser())
          app.use(csrf({ cookie: true }))


          You should be using a templating language for the user interface. You should have either a template for forms or a filter that looks for forms which include the CSRF attributes in the form when rendering.



          If you are making AJAX POSTs (XMLHttpRequest), that will also need to be thought through and is well covered on this site.



          * if you have api routes, the should be grouped and excluded from CSRF.






          share|improve this answer





















          • Thanks successfully implemented :D yes sometimes is good to read documentation ...
            – Juraj Jakubov
            Nov 16 at 19:15















          up vote
          1
          down vote



          accepted










          I think that you are on the right track.



          The middleware should be applied to ALL POST requests*. An example on the CSURF readme shows the way to do it (worth reading carefully):



          // mount api before csrf is appended to the app stack
          app.use('/api', api)

          // now add csrf and other middlewares, after the "/api" was mounted
          app.use(bodyParser.urlencoded({ extended: false }))
          app.use(cookieParser())
          app.use(csrf({ cookie: true }))


          You should be using a templating language for the user interface. You should have either a template for forms or a filter that looks for forms which include the CSRF attributes in the form when rendering.



          If you are making AJAX POSTs (XMLHttpRequest), that will also need to be thought through and is well covered on this site.



          * if you have api routes, the should be grouped and excluded from CSRF.






          share|improve this answer





















          • Thanks successfully implemented :D yes sometimes is good to read documentation ...
            – Juraj Jakubov
            Nov 16 at 19:15













          up vote
          1
          down vote



          accepted







          up vote
          1
          down vote



          accepted






          I think that you are on the right track.



          The middleware should be applied to ALL POST requests*. An example on the CSURF readme shows the way to do it (worth reading carefully):



          // mount api before csrf is appended to the app stack
          app.use('/api', api)

          // now add csrf and other middlewares, after the "/api" was mounted
          app.use(bodyParser.urlencoded({ extended: false }))
          app.use(cookieParser())
          app.use(csrf({ cookie: true }))


          You should be using a templating language for the user interface. You should have either a template for forms or a filter that looks for forms which include the CSRF attributes in the form when rendering.



          If you are making AJAX POSTs (XMLHttpRequest), that will also need to be thought through and is well covered on this site.



          * if you have api routes, the should be grouped and excluded from CSRF.






          share|improve this answer












          I think that you are on the right track.



          The middleware should be applied to ALL POST requests*. An example on the CSURF readme shows the way to do it (worth reading carefully):



          // mount api before csrf is appended to the app stack
          app.use('/api', api)

          // now add csrf and other middlewares, after the "/api" was mounted
          app.use(bodyParser.urlencoded({ extended: false }))
          app.use(cookieParser())
          app.use(csrf({ cookie: true }))


          You should be using a templating language for the user interface. You should have either a template for forms or a filter that looks for forms which include the CSRF attributes in the form when rendering.



          If you are making AJAX POSTs (XMLHttpRequest), that will also need to be thought through and is well covered on this site.



          * if you have api routes, the should be grouped and excluded from CSRF.







          share|improve this answer












          share|improve this answer



          share|improve this answer










          answered Nov 16 at 6:11









          Arthur Cinader

          687414




          687414












          • Thanks successfully implemented :D yes sometimes is good to read documentation ...
            – Juraj Jakubov
            Nov 16 at 19:15


















          • Thanks successfully implemented :D yes sometimes is good to read documentation ...
            – Juraj Jakubov
            Nov 16 at 19:15
















          Thanks successfully implemented :D yes sometimes is good to read documentation ...
          – Juraj Jakubov
          Nov 16 at 19:15




          Thanks successfully implemented :D yes sometimes is good to read documentation ...
          – Juraj Jakubov
          Nov 16 at 19:15


















          draft saved

          draft discarded




















































          Thanks for contributing an answer to Stack Overflow!


          • Please be sure to answer the question. Provide details and share your research!

          But avoid



          • Asking for help, clarification, or responding to other answers.

          • Making statements based on opinion; back them up with references or personal experience.


          To learn more, see our tips on writing great answers.





          Some of your past answers have not been well-received, and you're in danger of being blocked from answering.


          Please pay close attention to the following guidance:


          • Please be sure to answer the question. Provide details and share your research!

          But avoid



          • Asking for help, clarification, or responding to other answers.

          • Making statements based on opinion; back them up with references or personal experience.


          To learn more, see our tips on writing great answers.




          draft saved


          draft discarded














          StackExchange.ready(
          function () {
          StackExchange.openid.initPostLogin('.new-post-login', 'https%3a%2f%2fstackoverflow.com%2fquestions%2f53326603%2fnodejs-make-automatic-csrf-protection%23new-answer', 'question_page');
          }
          );

          Post as a guest















          Required, but never shown





















































          Required, but never shown














          Required, but never shown












          Required, but never shown







          Required, but never shown

































          Required, but never shown














          Required, but never shown












          Required, but never shown







          Required, but never shown







          Popular posts from this blog

          mysqli_query(): Empty query in /home/lucindabrummitt/public_html/blog/wp-includes/wp-db.php on line 1924

          How to change which sound is reproduced for terminal bell?

          Can I use Tabulator js library in my java Spring + Thymeleaf project?