Ignore CSRF on certain paths via config. Fixes #7

krakenjs / lusca

Application security for express apps.

Other

1.79k stars 123 forks source link

Ignore CSRF on certain paths via config. Fixes #7 #8

Closed lmarkus closed 10 years ago

lmarkus commented 10 years ago

This PR gives lusca the ability to ignore certain paths, as specified by the user via config.

It supports Express-style paths: /path/:with/parameters

It addresses PayPal/kraken-js#46 and #7

I would love to hear comments on ./index.js#124 How should the system let the user know about a bad configuration? I know we don't want to pollute the console. Should lusca swallow the error, and we just document the behavior?

lmarkus commented 10 years ago

Thanks Jeff!

Fixed for first comment. For second comment, made a minor fix. My intent here is to warn the user when they provide a bad configuration, because they are expecting Lusca to behave a certain way, when it will not.

For comment three, I don't fully understand what you meant. Can you clarify?

jeffharrell commented 10 years ago

Closing this out as there's a slightly different solve we're doing for all middleware with meddleware.