JayKan
commented
6 years ago @beshad,
It looks like you would like to disable CSRF for some specific routes in your Angular application. In order to achieve that you will need to first disable the default CSRF handling from your configuration file via the middleware section and then re-enable it for the routes you would like to protect. The following config demonstrates how you can protect all routes, except starting with /api:
// your config.json
{
"middleware": {
// override the default lusca to disable CSRF handling
"appsec": {
"module": {
"arguments": {
{
"xframe": "SAMEORIGIN",
"csp": false // sets to false
}
}
}
},
/**
* Enable *ONLY* CSRF filtered by route.
* Note: The route "regex" needs the double parens
* because of how express parses route strings.
* and this done using a negative lookahead regular expression
* see: http://www.regular-expressions.info/lookaround.html
*/
"csrf": {
"enabled": true,
"priority": 111,
"route": "/((?!api))*",
"module": {
"name": "lusca",
"method": "csrf",
"arguments": [ {} ]
}
}
}
}Hopefully this answers your questions 😄
beshad
Hi,
I've set up a project using Angular-full-stack project. while i want to have the csrf protection for all the requests coming from client browser environment, i do like to exclude the requests which will be sent to same server from the mobile app client. i know i can turn off completely
{csrf: false}but is there any other way to setup lusca to only apply to some request and not all?cheers