-
Notifications
You must be signed in to change notification settings - Fork 16
/
csurf.express.txt
30 lines (27 loc) · 2.85 KB
/
csurf.express.txt
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
CSURF
CSURF([OBJ]) #Express MIDWR (0.0.3) that:
# - checks that client sent SIGNATURE, and verifies it using SECRET
# - Only checks if not GET|HEAD|OPTIONS.
# - If problem, NEXT(ERROR) (ERROR.status 403)
#Can be:
# - if not OBJ.cookie:
# - SECRET = REQ.session.csrfSecret
# - SIGNATURE is REQ.csrfToken() = "RANDOM-" + HMAC-SHA1("RANDOM-SECRET")
# - each REQ.csrfToken() uses different RANDOM
# - SIGNATURE must be sent to client in response headers or body
# - REQ.session must exist
# - if OBJ.cookie { key: VAR, signed: true }:
# - does not seem to work (uses COOKIE-SIGNATURE for signing but another algo for verifying)
# - SECRET = REQ.secret
# - SIGNATURE is cookie VAR (def: "_csrf"): "RANDOM", signed with SECRET (see COOKIE-PARSER)
# - RANDOM stays the same
# - SIGNATURE is sent using Set-Cookie [S]
# - REQ.secret must exist
#SIGNATURE is fetched from client in:
# - _csrf in body or GET variable
# - x-c|xsrf-token header (done by Angular $HTTP)
# - or redefine OBJ.value(REQ)->VAL
#REQ.body must exist (BODY-PARSER)
#With Angular, should send cookie with name "XSRF-TOKEN"