Nodejs make automatic csrf protection
Well i am building simple nodejs cms. My question is simple how can i make automatic CSRF protection? Because i think its dangerous and i can miss this protection in form or route. Is there any way how to automatize this proccess?
At this moment i am using this.
Routes.js
// CSRF
var csrfProtection = csrf(
cookie: true
)
var parseForm = bodyParser.urlencoded(
extended: false
)
// Register
router.get("/register", csrfProtection, shouldNotBeAuthenticated, function (req, res)
res.render("../modules/users/views/register",
title: 'Register',
csrfToken: req.csrfToken
);
);
router.post("/register", parseForm, csrfProtection, authController.user_reigster);
Form
<form method="post" action="/users/register">
<input type="hidden" name="_csrf" value="csrfToken">
package CSURF.
Thank for any advice.
javascript node.js forms csrf csrf-protection
asked Nov 15 '18 at 19:24
Juraj JakubovJuraj Jakubov
1461214
add a comment |
Well i am building simple nodejs cms. My question is simple how can i make automatic CSRF protection? Because i think its dangerous and i can miss this protection in form or route. Is there any way how to automatize this proccess?
At this moment i am using this.
Routes.js
// CSRF
var csrfProtection = csrf(
cookie: true
)
var parseForm = bodyParser.urlencoded(
extended: false
)
// Register
router.get("/register", csrfProtection, shouldNotBeAuthenticated, function (req, res)
res.render("../modules/users/views/register",
title: 'Register',
csrfToken: req.csrfToken
);
);
router.post("/register", parseForm, csrfProtection, authController.user_reigster);
Form
<form method="post" action="/users/register">
<input type="hidden" name="_csrf" value="csrfToken">
package CSURF.
Thank for any advice.
javascript node.js forms csrf csrf-protection
asked Nov 15 '18 at 19:24
Juraj JakubovJuraj Jakubov
1461214
add a comment |
Well i am building simple nodejs cms. My question is simple how can i make automatic CSRF protection? Because i think its dangerous and i can miss this protection in form or route. Is there any way how to automatize this proccess?
At this moment i am using this.
Routes.js
// CSRF
var csrfProtection = csrf(
cookie: true
)
var parseForm = bodyParser.urlencoded(
extended: false
)
// Register
router.get("/register", csrfProtection, shouldNotBeAuthenticated, function (req, res)
res.render("../modules/users/views/register",
title: 'Register',
csrfToken: req.csrfToken
);
);
router.post("/register", parseForm, csrfProtection, authController.user_reigster);
Form
<form method="post" action="/users/register">
<input type="hidden" name="_csrf" value="csrfToken">
package CSURF.
Thank for any advice.
javascript node.js forms csrf csrf-protection
asked Nov 15 '18 at 19:24
Juraj JakubovJuraj Jakubov
1461214
Well i am building simple nodejs cms. My question is simple how can i make automatic CSRF protection? Because i think its dangerous and i can miss this protection in form or route. Is there any way how to automatize this proccess?
At this moment i am using this.
Routes.js
// CSRF
var csrfProtection = csrf(
cookie: true
)
var parseForm = bodyParser.urlencoded(
extended: false
)
// Register
router.get("/register", csrfProtection, shouldNotBeAuthenticated, function (req, res)
res.render("../modules/users/views/register",
title: 'Register',
csrfToken: req.csrfToken
);
);
router.post("/register", parseForm, csrfProtection, authController.user_reigster);
Form
<form method="post" action="/users/register">
<input type="hidden" name="_csrf" value="csrfToken">
package CSURF.
Thank for any advice.
javascript node.js forms csrf csrf-protection
javascript node.js forms csrf csrf-protection
asked Nov 15 '18 at 19:24
Juraj JakubovJuraj Jakubov
1461214
asked Nov 15 '18 at 19:24
Juraj JakubovJuraj Jakubov
1461214
edited Nov 15 '18 at 19:49
Juraj Jakubov
asked Nov 15 '18 at 19:24
Juraj JakubovJuraj Jakubov
1461214
asked Nov 15 '18 at 19:24
Juraj JakubovJuraj Jakubov
1461214
asked Nov 15 '18 at 19:24
Juraj JakubovJuraj Jakubov
1461214
1461214
add a comment |
add a comment |
1 Answer
1
active
oldest
votes
I think that you are on the right track.
The middleware should be applied to ALL POST requests*. An example on the CSURF readme shows the way to do it (worth reading carefully):
// mount api before csrf is appended to the app stack
app.use('/api', api)
// now add csrf and other middlewares, after the "/api" was mounted
app.use(bodyParser.urlencoded( extended: false ))
app.use(cookieParser())
app.use(csrf( cookie: true ))
You should be using a templating language for the user interface. You should have either a template for forms or a filter that looks for forms which include the CSRF attributes in the form when rendering.
If you are making AJAX POSTs (XMLHttpRequest), that will also need to be thought through and is well covered on this site.
* if you have api routes, the should be grouped and excluded from CSRF.
answered Nov 16 '18 at 6:11
Arthur CinaderArthur Cinader
839519
Thanks successfully implemented :D yes sometimes is good to read documentation ...
– Juraj Jakubov
Nov 16 '18 at 19:15
add a comment |
Your Answer
StackExchange.ifUsing("editor", function ()
StackExchange.using("externalEditor", function ()
StackExchange.using("snippets", function ()
StackExchange.snippets.init();
);
);
, "code-snippets");
StackExchange.ready(function()
var channelOptions =
tags: "".split(" "),
id: "1"
;
initTagRenderer("".split(" "), "".split(" "), channelOptions);
StackExchange.using("externalEditor", function()
// Have to fire editor after snippets, if snippets enabled
if (StackExchange.settings.snippets.snippetsEnabled)
StackExchange.using("snippets", function()
createEditor();
);
else
createEditor();
);
function createEditor()
StackExchange.prepareEditor(
heartbeatType: 'answer',
autoActivateHeartbeat: false,
convertImagesToLinks: true,
noModals: true,
showLowRepImageUploadWarning: true,
reputationToPostImages: 10,
bindNavPrevention: true,
postfix: "",
imageUploader:
brandingHtml: "Powered by u003ca class="icon-imgur-white" href="https://imgur.com/"u003eu003c/au003e",
contentPolicyHtml: "User contributions licensed under u003ca href="https://creativecommons.org/licenses/by-sa/3.0/"u003ecc by-sa 3.0 with attribution requiredu003c/au003e u003ca href="https://stackoverflow.com/legal/content-policy"u003e(content policy)u003c/au003e",
allowUrls: true
,
onDemand: true,
discardSelector: ".discard-answer"
,immediatelyShowMarkdownHelp:true
);
);
Sign up or log in
StackExchange.ready(function ()
StackExchange.helpers.onClickDraftSave('#login-link');
);
Sign up using Google
Sign up using Facebook
Sign up using Email and Password
Post as a guest
Required, but never shown
StackExchange.ready(
function ()
StackExchange.openid.initPostLogin('.new-post-login', 'https%3a%2f%2fstackoverflow.com%2fquestions%2f53326603%2fnodejs-make-automatic-csrf-protection%23new-answer', 'question_page');
);
Post as a guest
Required, but never shown
1 Answer
1
active
oldest
votes
1 Answer
1
active
oldest
votes
active
oldest
votes
active
oldest
votes
I think that you are on the right track.
The middleware should be applied to ALL POST requests*. An example on the CSURF readme shows the way to do it (worth reading carefully):
// mount api before csrf is appended to the app stack
app.use('/api', api)
// now add csrf and other middlewares, after the "/api" was mounted
app.use(bodyParser.urlencoded( extended: false ))
app.use(cookieParser())
app.use(csrf( cookie: true ))
You should be using a templating language for the user interface. You should have either a template for forms or a filter that looks for forms which include the CSRF attributes in the form when rendering.
If you are making AJAX POSTs (XMLHttpRequest), that will also need to be thought through and is well covered on this site.
* if you have api routes, the should be grouped and excluded from CSRF.
answered Nov 16 '18 at 6:11
Arthur CinaderArthur Cinader
839519
Thanks successfully implemented :D yes sometimes is good to read documentation ...
– Juraj Jakubov
Nov 16 '18 at 19:15
add a comment |
I think that you are on the right track.
The middleware should be applied to ALL POST requests*. An example on the CSURF readme shows the way to do it (worth reading carefully):
// mount api before csrf is appended to the app stack
app.use('/api', api)
// now add csrf and other middlewares, after the "/api" was mounted
app.use(bodyParser.urlencoded( extended: false ))
app.use(cookieParser())
app.use(csrf( cookie: true ))
You should be using a templating language for the user interface. You should have either a template for forms or a filter that looks for forms which include the CSRF attributes in the form when rendering.
If you are making AJAX POSTs (XMLHttpRequest), that will also need to be thought through and is well covered on this site.
* if you have api routes, the should be grouped and excluded from CSRF.
answered Nov 16 '18 at 6:11
Arthur CinaderArthur Cinader
839519
Thanks successfully implemented :D yes sometimes is good to read documentation ...
– Juraj Jakubov
Nov 16 '18 at 19:15
add a comment |
I think that you are on the right track.
The middleware should be applied to ALL POST requests*. An example on the CSURF readme shows the way to do it (worth reading carefully):
// mount api before csrf is appended to the app stack
app.use('/api', api)
// now add csrf and other middlewares, after the "/api" was mounted
app.use(bodyParser.urlencoded( extended: false ))
app.use(cookieParser())
app.use(csrf( cookie: true ))
You should be using a templating language for the user interface. You should have either a template for forms or a filter that looks for forms which include the CSRF attributes in the form when rendering.
If you are making AJAX POSTs (XMLHttpRequest), that will also need to be thought through and is well covered on this site.
* if you have api routes, the should be grouped and excluded from CSRF.
answered Nov 16 '18 at 6:11
Arthur CinaderArthur Cinader
839519
I think that you are on the right track.
The middleware should be applied to ALL POST requests*. An example on the CSURF readme shows the way to do it (worth reading carefully):
// mount api before csrf is appended to the app stack
app.use('/api', api)
// now add csrf and other middlewares, after the "/api" was mounted
app.use(bodyParser.urlencoded( extended: false ))
app.use(cookieParser())
app.use(csrf( cookie: true ))
You should be using a templating language for the user interface. You should have either a template for forms or a filter that looks for forms which include the CSRF attributes in the form when rendering.
If you are making AJAX POSTs (XMLHttpRequest), that will also need to be thought through and is well covered on this site.
* if you have api routes, the should be grouped and excluded from CSRF.
answered Nov 16 '18 at 6:11
Arthur CinaderArthur Cinader
839519
answered Nov 16 '18 at 6:11
Arthur CinaderArthur Cinader
839519
answered Nov 16 '18 at 6:11
Arthur CinaderArthur Cinader
839519
answered Nov 16 '18 at 6:11
Arthur CinaderArthur Cinader
839519
839519
Thanks successfully implemented :D yes sometimes is good to read documentation ...
– Juraj Jakubov
Nov 16 '18 at 19:15
add a comment |
Thanks successfully implemented :D yes sometimes is good to read documentation ...
– Juraj Jakubov
Nov 16 '18 at 19:15
Thanks successfully implemented :D yes sometimes is good to read documentation ...
– Juraj Jakubov
Nov 16 '18 at 19:15
Thanks successfully implemented :D yes sometimes is good to read documentation ...
– Juraj Jakubov
Nov 16 '18 at 19:15
add a comment |
Thanks for contributing an answer to Stack Overflow!
- Please be sure to answer the question. Provide details and share your research!
But avoid …
- Asking for help, clarification, or responding to other answers.
- Making statements based on opinion; back them up with references or personal experience.
To learn more, see our tips on writing great answers.
Sign up or log in
StackExchange.ready(function ()
StackExchange.helpers.onClickDraftSave('#login-link');
);
Sign up using Google
Sign up using Facebook
Sign up using Email and Password
Post as a guest
Required, but never shown
StackExchange.ready(
function ()
StackExchange.openid.initPostLogin('.new-post-login', 'https%3a%2f%2fstackoverflow.com%2fquestions%2f53326603%2fnodejs-make-automatic-csrf-protection%23new-answer', 'question_page');
);
Post as a guest
Required, but never shown
Sign up or log in
StackExchange.ready(function ()
StackExchange.helpers.onClickDraftSave('#login-link');
);
Sign up using Google
Sign up using Facebook
Sign up using Email and Password
Post as a guest
Required, but never shown
Sign up or log in
StackExchange.ready(function ()
StackExchange.helpers.onClickDraftSave('#login-link');
);
Sign up using Google
Sign up using Facebook
Sign up using Email and Password
Post as a guest
Required, but never shown
Sign up or log in
StackExchange.ready(function ()
StackExchange.helpers.onClickDraftSave('#login-link');
);
Sign up using Google
Sign up using Facebook
Sign up using Email and Password
Sign up using Google
Sign up using Facebook
Sign up using Email and Password
Post as a guest
Required, but never shown
Required, but never shown
Required, but never shown
Required, but never shown
Required, but never shown
Required, but never shown
Required, but never shown
Required, but never shown
Required, but never shown
