Node.js Securing Node.js applications Preventing Cross Site Request Forgery (CSRF)
Example
CSRF is an attack which forces end user to execute unwanted actions on a web application in which he/she is currently authenticated.
It can happen because cookies are sent with every request to a website - even when those requests come from a different site.
We can use csurf module for creating csrf token and validating it.
Example
var express = require('express')
var cookieParser = require('cookie-parser') //for cookie parsing
var csrf = require('csurf') //csrf module
var bodyParser = require('body-parser') //for body parsing
// setup route middlewares
var csrfProtection = csrf({ cookie: true })
var parseForm = bodyParser.urlencoded({ extended: false })
// create express app
var app = express()
// parse cookies
app.use(cookieParser())
app.get('/form', csrfProtection, function(req, res) {
// generate and pass the csrfToken to the view
res.render('send', { csrfToken: req.csrfToken() })
})
app.post('/process', parseForm, csrfProtection, function(req, res) {
res.send('data is being processed')
})
So, when we access GET /form, it will pass the csrf token csrfToken to the view.
Now, inside the view, set the csrfToken value as the value of a hidden input field named _csrf.
e.g. for handlebar templates
<form action="/process" method="POST">
<input type="hidden" name="_csrf" value="{{csrfToken}}">
Name: <input type="text" name="name">
<button type="submit">Submit</button>
</form>
e.g. for jade templates
form(action="/process" method="post")
input(type="hidden", name="_csrf", value=csrfToken)
span Name:
input(type="text", name="name", required=true)
br
input(type="submit")
e.g. for ejs templates
<form action="/process" method="POST">
<input type="hidden" name="_csrf" value="<%= csrfToken %>">
Name: <input type="text" name="name">
<button type="submit">Submit</button>
</form>
