actix-csrf-middleware

CSRF protection middleware for Actix Web applications. Supports double submit cookie and synchronizer token patterns (with actix-session) out of the box. Flexible, easy to configure, and includes test coverage for common attacks and edge cases.

WARNING: This crate has not been audited and may contain bugs and security flaws. This implementation is NOT ready for production use.

Overview

• Store CSRF tokens as:
  • Stateless double submit cookie
  • Synchronizer token in persistent storage via actix-session
• Implemented following the OWASP CSRF Prevention Cheat Sheet
  • CSRF token is a 256-bit cryptographically secure random value
  • For the double submit cookie pattern, hashes the session/pre-session ID with the CSRF token using HMAC-SHA256
  • Compares tokens in constant time to prevent timing attacks
• Protect unauthorized routes with signed, stateless pre-sessions (cookie is always HttpOnly=true, Secure=true, SameSite=Strict)
• Automatically extract and verify tokens from:
  • application/json
  • application/x-www-form-urlencoded
• Configurable cookie, header, and form field names
• Optional Origin/Referer enforcement for mutating requests (configurable)
• Helpers for manually extracting and validating CSRF tokens at the handler level are useful for processing multipart/form-data requests without expensive body reading in middleware
• Enabled by default for all mutating (POST,PUT,PATCH,DELETE) http requests; supports per-path CSRF exclusion via skip_for.

Examples

Minimal runnable examples are provided in the examples directory:

• Double Submit Cookie: examples/double-submit-cookie
• Synchronizer Token (requires actix-session): examples/synchronizer-token
• Rotation After Auth (Double Submit Cookie + RequestExt rotate): examples/rotation-after-auth

License

This project is licensed under the MIT License. See LICENSE for details.