api/csrf

api/csrf

↓ Methods.

module:api/csrf

Description:

Origin/Sec-Fetch-Site headers checks

api-csrf-origin and/or api-csrf-sec-fetch config parameters must be configured, only matched paths or locations are checked, so CSRF protection is explicit by the config.

Source:

api/csrf.js, line 34

Examples

Only allow specific origins for /account

api-csrf-origin-^/account = http://app.host.com
api-csrf-origin-^/account = https://host.com,http://localhost

Only allow same-site or same-origin Sec-Fetch-Site for /api

api-csrf-sec-fetch-^/api/ = same-site
api-csrf-sec-fetch-^/api/ = same-origin,same-origin

Only allow same-origin Sec-Fetch-Site

api-csrf-sec-fetch-^/ = same-origin

Methods

(static) check(req) → {undefinded|object}

Description:

Verify Origin and Sec-Fetch-Site headers for non-skipping methods

Source:

api/csrf.js, line 47

Parameters:

Name	Type	Description
`req`	IncomingRequest	Express request

Returns:

Type	Description
undefinded \| object	an error object if not valid

(static) checkFetchSite(req) → {undefinded|object}

Description:

Verify Sec-Fetch-Site headers

Source:

api/csrf.js, line 87

Parameters:

Name	Type	Description
`req`	IncomingRequest	Express request

Returns:

Type	Description
undefinded \| object	an error object if not valid

(static) checkOrigin(req) → {undefinded|object}

Description:

Verify Origin header

Source:

api/csrf.js, line 62

Parameters:

Name	Type	Description
`req`	IncomingRequest	Express request

Returns:

Type	Description
undefinded \| object	an error object if not valid

↓ Methods.

module:api/csrf

Origin/Sec-Fetch-Site headers checks

Examples

Methods

(static) check(req) → {undefinded|object}

Parameters:

Returns:

(static) checkFetchSite(req) → {undefinded|object}

Parameters:

Returns:

(static) checkOrigin(req) → {undefinded|object}

Parameters:

Returns: