search

expressjs / csurf

CSRF token middleware
MIT License
2.3k stars 217 forks source link

Allow user to select methods to ignore. #26

Closed STRML closed 10 years ago

STRML commented 10 years ago

Can be useful to add GET csrf protection on a router, or otherwise disable checking for a given verb.

dougwilson commented 10 years ago

Hi! I see you didn't add any tests to go along with your change. Can you show me code for a use-case this change would serve?

STRML commented 10 years ago

@dougwilson Happy to add a test.

As for a use case, for example, I have a large JS app. It has a bootstrap data file that I want to load as quickly as possible. This works well, but the bootstrap file contains some sensitive data. A malicious actor could create an html page that simply requires the script (which would be required with the user's cookies), and read the data.

Aside from doing proper referer and origin checking, a CSRF token on the GET is another nice layer of protection.

STRML commented 10 years ago

Just added tests.

dougwilson commented 10 years ago

OK. I'm going to change the option to an array instead of an object. The only reason it's an object internally is for "faster" lookups.

STRML commented 10 years ago

@dougwilson As an array, it may be more difficult to use: as an object, you can enable/disable any method one at a time, as in the tests.

dougwilson commented 10 years ago

Yes, but there are only 3 methods. To disable GET, just pass in ["HEAD", "OPTIONS"]. Being explicit is a better interface. Then if we decide to start skipping "TRACE", you won't be thrown off-guard. The option will make other people than you happy by allowing them to know for sure which methods are ignored instead of needing to know what the defaults are.

STRML commented 10 years ago

Makes sense, I agree with that.

On Aug 24, 2014, at 12:26 PM, Douglas Christopher Wilson notifications@github.com wrote:

Yes, but there are only 3 methods. To disable GET, just pass in ["HEAD", "OPTIONS"]. Being explicit is a better interface. Then if we decide to start skipping "TRACE", you won't be thrown off-guard. The option will make other people than you happy by allowing them to know for sure which methods are ignored instead of needing to know what the defaults are.

— Reply to this email directly or view it on GitHub.

dougwilson commented 10 years ago

ok, check out npm install expressjs/csurf and confirm if it fits your needs or not :)

STRML commented 10 years ago

@dougwilson Just tried it out, works great. Thanks