Nodejs make automatic csrf protection










0















Well i am building simple nodejs cms. My question is simple how can i make automatic CSRF protection? Because i think its dangerous and i can miss this protection in form or route. Is there any way how to automatize this proccess?



At this moment i am using this.



Routes.js



// CSRF
var csrfProtection = csrf(
cookie: true
)
var parseForm = bodyParser.urlencoded(
extended: false
)

// Register
router.get("/register", csrfProtection, shouldNotBeAuthenticated, function (req, res)
res.render("../modules/users/views/register",
title: 'Register',
csrfToken: req.csrfToken
);
);

router.post("/register", parseForm, csrfProtection, authController.user_reigster);


Form



<form method="post" action="/users/register">
<input type="hidden" name="_csrf" value="csrfToken">


package CSURF.



Thank for any advice.










share|improve this question




























    0















    Well i am building simple nodejs cms. My question is simple how can i make automatic CSRF protection? Because i think its dangerous and i can miss this protection in form or route. Is there any way how to automatize this proccess?



    At this moment i am using this.



    Routes.js



    // CSRF
    var csrfProtection = csrf(
    cookie: true
    )
    var parseForm = bodyParser.urlencoded(
    extended: false
    )

    // Register
    router.get("/register", csrfProtection, shouldNotBeAuthenticated, function (req, res)
    res.render("../modules/users/views/register",
    title: 'Register',
    csrfToken: req.csrfToken
    );
    );

    router.post("/register", parseForm, csrfProtection, authController.user_reigster);


    Form



    <form method="post" action="/users/register">
    <input type="hidden" name="_csrf" value="csrfToken">


    package CSURF.



    Thank for any advice.










    share|improve this question


























      0












      0








      0








      Well i am building simple nodejs cms. My question is simple how can i make automatic CSRF protection? Because i think its dangerous and i can miss this protection in form or route. Is there any way how to automatize this proccess?



      At this moment i am using this.



      Routes.js



      // CSRF
      var csrfProtection = csrf(
      cookie: true
      )
      var parseForm = bodyParser.urlencoded(
      extended: false
      )

      // Register
      router.get("/register", csrfProtection, shouldNotBeAuthenticated, function (req, res)
      res.render("../modules/users/views/register",
      title: 'Register',
      csrfToken: req.csrfToken
      );
      );

      router.post("/register", parseForm, csrfProtection, authController.user_reigster);


      Form



      <form method="post" action="/users/register">
      <input type="hidden" name="_csrf" value="csrfToken">


      package CSURF.



      Thank for any advice.










      share|improve this question
















      Well i am building simple nodejs cms. My question is simple how can i make automatic CSRF protection? Because i think its dangerous and i can miss this protection in form or route. Is there any way how to automatize this proccess?



      At this moment i am using this.



      Routes.js



      // CSRF
      var csrfProtection = csrf(
      cookie: true
      )
      var parseForm = bodyParser.urlencoded(
      extended: false
      )

      // Register
      router.get("/register", csrfProtection, shouldNotBeAuthenticated, function (req, res)
      res.render("../modules/users/views/register",
      title: 'Register',
      csrfToken: req.csrfToken
      );
      );

      router.post("/register", parseForm, csrfProtection, authController.user_reigster);


      Form



      <form method="post" action="/users/register">
      <input type="hidden" name="_csrf" value="csrfToken">


      package CSURF.



      Thank for any advice.







      javascript node.js forms csrf csrf-protection






      share|improve this question















      share|improve this question













      share|improve this question




      share|improve this question








      edited Nov 15 '18 at 19:49







      Juraj Jakubov

















      asked Nov 15 '18 at 19:24









      Juraj JakubovJuraj Jakubov

      1461214




      1461214






















          1 Answer
          1






          active

          oldest

          votes


















          1














          I think that you are on the right track.



          The middleware should be applied to ALL POST requests*. An example on the CSURF readme shows the way to do it (worth reading carefully):



          // mount api before csrf is appended to the app stack
          app.use('/api', api)

          // now add csrf and other middlewares, after the "/api" was mounted
          app.use(bodyParser.urlencoded( extended: false ))
          app.use(cookieParser())
          app.use(csrf( cookie: true ))


          You should be using a templating language for the user interface. You should have either a template for forms or a filter that looks for forms which include the CSRF attributes in the form when rendering.



          If you are making AJAX POSTs (XMLHttpRequest), that will also need to be thought through and is well covered on this site.



          * if you have api routes, the should be grouped and excluded from CSRF.






          share|improve this answer























          • Thanks successfully implemented :D yes sometimes is good to read documentation ...

            – Juraj Jakubov
            Nov 16 '18 at 19:15











          Your Answer






          StackExchange.ifUsing("editor", function ()
          StackExchange.using("externalEditor", function ()
          StackExchange.using("snippets", function ()
          StackExchange.snippets.init();
          );
          );
          , "code-snippets");

          StackExchange.ready(function()
          var channelOptions =
          tags: "".split(" "),
          id: "1"
          ;
          initTagRenderer("".split(" "), "".split(" "), channelOptions);

          StackExchange.using("externalEditor", function()
          // Have to fire editor after snippets, if snippets enabled
          if (StackExchange.settings.snippets.snippetsEnabled)
          StackExchange.using("snippets", function()
          createEditor();
          );

          else
          createEditor();

          );

          function createEditor()
          StackExchange.prepareEditor(
          heartbeatType: 'answer',
          autoActivateHeartbeat: false,
          convertImagesToLinks: true,
          noModals: true,
          showLowRepImageUploadWarning: true,
          reputationToPostImages: 10,
          bindNavPrevention: true,
          postfix: "",
          imageUploader:
          brandingHtml: "Powered by u003ca class="icon-imgur-white" href="https://imgur.com/"u003eu003c/au003e",
          contentPolicyHtml: "User contributions licensed under u003ca href="https://creativecommons.org/licenses/by-sa/3.0/"u003ecc by-sa 3.0 with attribution requiredu003c/au003e u003ca href="https://stackoverflow.com/legal/content-policy"u003e(content policy)u003c/au003e",
          allowUrls: true
          ,
          onDemand: true,
          discardSelector: ".discard-answer"
          ,immediatelyShowMarkdownHelp:true
          );



          );













          draft saved

          draft discarded


















          StackExchange.ready(
          function ()
          StackExchange.openid.initPostLogin('.new-post-login', 'https%3a%2f%2fstackoverflow.com%2fquestions%2f53326603%2fnodejs-make-automatic-csrf-protection%23new-answer', 'question_page');

          );

          Post as a guest















          Required, but never shown

























          1 Answer
          1






          active

          oldest

          votes








          1 Answer
          1






          active

          oldest

          votes









          active

          oldest

          votes






          active

          oldest

          votes









          1














          I think that you are on the right track.



          The middleware should be applied to ALL POST requests*. An example on the CSURF readme shows the way to do it (worth reading carefully):



          // mount api before csrf is appended to the app stack
          app.use('/api', api)

          // now add csrf and other middlewares, after the "/api" was mounted
          app.use(bodyParser.urlencoded( extended: false ))
          app.use(cookieParser())
          app.use(csrf( cookie: true ))


          You should be using a templating language for the user interface. You should have either a template for forms or a filter that looks for forms which include the CSRF attributes in the form when rendering.



          If you are making AJAX POSTs (XMLHttpRequest), that will also need to be thought through and is well covered on this site.



          * if you have api routes, the should be grouped and excluded from CSRF.






          share|improve this answer























          • Thanks successfully implemented :D yes sometimes is good to read documentation ...

            – Juraj Jakubov
            Nov 16 '18 at 19:15















          1














          I think that you are on the right track.



          The middleware should be applied to ALL POST requests*. An example on the CSURF readme shows the way to do it (worth reading carefully):



          // mount api before csrf is appended to the app stack
          app.use('/api', api)

          // now add csrf and other middlewares, after the "/api" was mounted
          app.use(bodyParser.urlencoded( extended: false ))
          app.use(cookieParser())
          app.use(csrf( cookie: true ))


          You should be using a templating language for the user interface. You should have either a template for forms or a filter that looks for forms which include the CSRF attributes in the form when rendering.



          If you are making AJAX POSTs (XMLHttpRequest), that will also need to be thought through and is well covered on this site.



          * if you have api routes, the should be grouped and excluded from CSRF.






          share|improve this answer























          • Thanks successfully implemented :D yes sometimes is good to read documentation ...

            – Juraj Jakubov
            Nov 16 '18 at 19:15













          1












          1








          1







          I think that you are on the right track.



          The middleware should be applied to ALL POST requests*. An example on the CSURF readme shows the way to do it (worth reading carefully):



          // mount api before csrf is appended to the app stack
          app.use('/api', api)

          // now add csrf and other middlewares, after the "/api" was mounted
          app.use(bodyParser.urlencoded( extended: false ))
          app.use(cookieParser())
          app.use(csrf( cookie: true ))


          You should be using a templating language for the user interface. You should have either a template for forms or a filter that looks for forms which include the CSRF attributes in the form when rendering.



          If you are making AJAX POSTs (XMLHttpRequest), that will also need to be thought through and is well covered on this site.



          * if you have api routes, the should be grouped and excluded from CSRF.






          share|improve this answer













          I think that you are on the right track.



          The middleware should be applied to ALL POST requests*. An example on the CSURF readme shows the way to do it (worth reading carefully):



          // mount api before csrf is appended to the app stack
          app.use('/api', api)

          // now add csrf and other middlewares, after the "/api" was mounted
          app.use(bodyParser.urlencoded( extended: false ))
          app.use(cookieParser())
          app.use(csrf( cookie: true ))


          You should be using a templating language for the user interface. You should have either a template for forms or a filter that looks for forms which include the CSRF attributes in the form when rendering.



          If you are making AJAX POSTs (XMLHttpRequest), that will also need to be thought through and is well covered on this site.



          * if you have api routes, the should be grouped and excluded from CSRF.







          share|improve this answer












          share|improve this answer



          share|improve this answer










          answered Nov 16 '18 at 6:11









          Arthur CinaderArthur Cinader

          839519




          839519












          • Thanks successfully implemented :D yes sometimes is good to read documentation ...

            – Juraj Jakubov
            Nov 16 '18 at 19:15

















          • Thanks successfully implemented :D yes sometimes is good to read documentation ...

            – Juraj Jakubov
            Nov 16 '18 at 19:15
















          Thanks successfully implemented :D yes sometimes is good to read documentation ...

          – Juraj Jakubov
          Nov 16 '18 at 19:15





          Thanks successfully implemented :D yes sometimes is good to read documentation ...

          – Juraj Jakubov
          Nov 16 '18 at 19:15



















          draft saved

          draft discarded
















































          Thanks for contributing an answer to Stack Overflow!


          • Please be sure to answer the question. Provide details and share your research!

          But avoid


          • Asking for help, clarification, or responding to other answers.

          • Making statements based on opinion; back them up with references or personal experience.

          To learn more, see our tips on writing great answers.




          draft saved


          draft discarded














          StackExchange.ready(
          function ()
          StackExchange.openid.initPostLogin('.new-post-login', 'https%3a%2f%2fstackoverflow.com%2fquestions%2f53326603%2fnodejs-make-automatic-csrf-protection%23new-answer', 'question_page');

          );

          Post as a guest















          Required, but never shown





















































          Required, but never shown














          Required, but never shown












          Required, but never shown







          Required, but never shown

































          Required, but never shown














          Required, but never shown












          Required, but never shown







          Required, but never shown







          這個網誌中的熱門文章

          How to read a connectionString WITH PROVIDER in .NET Core?

          Node.js Script on GitHub Pages or Amazon S3

          Museum of Modern and Contemporary Art of Trento and Rovereto