Categorygithub.com/hertz-contrib/csrf
modulepackage
0.1.1
Repository: https://github.com/hertz-contrib/csrf.git
Documentation: pkg.go.dev
Overview
Versions
1
Dependencies
11
Dependents
8
Files
308 SLOC

# README

CSRF (This is a community driven project)

Cross-site request forgery (also known as CSRF) is a web security vulnerability that allows an attacker to induce users to perform actions that they do not intend to perform. It allows an attacker to partly circumvent the same origin policy, which is designed to prevent different websites from interfering with each other.

The CSRF middleware helps you prevent Cross-Site Request Forgery attacks.

This repo borrows the structural design of fiber-csrf and adapted to Hertz.

Install

go get github.com/hertz-contrib/csrf

import

import "github.com/hertz-contrib/csrf"

Example

package main

import (
	"context"

	"github.com/cloudwego/hertz/pkg/app"
	"github.com/cloudwego/hertz/pkg/app/server"
	"github.com/hertz-contrib/csrf"
	"github.com/hertz-contrib/sessions"
	"github.com/hertz-contrib/sessions/cookie"
)

func main() {
	h := server.Default()

	store := cookie.NewStore([]byte("secret"))
	h.Use(sessions.New("session", store))
	h.Use(csrf.New(
		csrf.WithSecret("secret123"),
		csrf.WithErrorFunc(func(c context.Context, ctx *app.RequestContext) {
			ctx.String(400, ctx.Errors.Last().Error())
			ctx.Abort()
		},
		)))

	h.GET("/protected", func(c context.Context, ctx *app.RequestContext) {
		ctx.String(200, csrf.GetToken(ctx))
	})

	h.POST("/protected", func(c context.Context, ctx *app.RequestContext) {
		ctx.String(200, "CSRF token is valid")
	})

	h.Spin()
}

Options

OptionDefaultDescription
Secret"csrfSecret"Secret used to generate token.
IgnoreMethods"GET", "HEAD", "OPTIONS", "TRACE"Ignored methods will be considered no protection required.
NextnilNext defines a function to skip this middleware when returned true.
KeyLookup"header:X-CSRF-TOKEN"KeyLookup is a string in the form of ":" that is used to create an Extractor that extracts the token from the request.
ErrorFuncfunc(ctx context.Context, c *app.RequestContext) { panic(c.Errors.Last()) }ErrorFunc is executed when an error is returned from app.HandlerFunc.
ExtractorDefault will create an Extractor based on KeyLookup.Extractor returns the csrf token. If set this will be used in place of an Extractor based on KeyLookup.

# Packages

No description provided by the author

# Functions

CsrfFromForm returns a function that extracts a token from a multipart-form.
CsrfFromHeader returns a function that extracts token from the request header.
CsrfFromParam returns a function that extracts token from the url param string.
CsrfFromQuery returns a function that extracts token from the query string.
GetToken returns a CSRF token.
New validates CSRF token.
No description provided by the author
WithErrorFunc sets ErrorFunc.
WithExtractor sets extractor.
WithIgnoredMethods sets methods that do not need to be protected.
WithKeyLookUp sets a string in the form of "<source>:<key>" that is used to create an Extractor that extracts the token from the request.
WithNext sets whether to skip this middleware.
WithSecret sets secret.

# Variables

OptionsDefault is the default options.

# Structs

Option is the only struct that can be used to set Options.
Options defines the config for middleware.

# Type aliases

No description provided by the author
No description provided by the author