1 unstable release
0.1.0 | Jun 30, 2020 |
---|
#12 in #csrf
8KB
133 lines
xsrf
A library to provide Cross-site request forgery protection. See documentation for how to use the library.
lib.rs
:
A library to provide Cross-site request forgery protection.
Getting this right can be tricky, and this library aims to provide the primitives to be able to do this without making it too easy to get it wrong. Remember though, this needs to be coupled with the HTTP layer correctly as well in order to ensure it provide protection.
Warning
This library provides primitives, and is meant to be used as a building block. The suggested way to use this is to write a library to integrate this with your favorite HTTP stack. For example, if you're using actix then don't use this directly but instead go use actix-xsrf.
Usage
The library uses what seems to now be the standard method used by various popular frameworks.
- A
CookieToken
is issued and stored in the cookie or the session. Remember to use a secure signed cookie. - From this
CookieToken
, one or moreRequestToken
s can be issued. You can issue one per request, or multiple. Any number of them can be validated against the originalCookieToken
. - The
RequestToken
should either be embedded in your HTML form, or sent via a HTTP header (often the case for requests initiated in JavaScript). - The server side should validate this under the right circumstances.
Notes
Dependencies
~1–1.6MB
~32K SLoC