Crumb combats CSRF (Cross Site Request Forgery) using crumb generation and validation. See CSRF Prevention Cheat Sheet for more details about CSRF and tokens.
By default hapijs/crumb adds a crumb token to every view context. This allows for the token to be placed into forms and validated ensuring each request is from the proper user session.
In order to facilitate a "transparent but visible" CSRF solution, developers are encouraged
to adopt the Synchronizer Token Pattern.
The synchronizer token pattern requires the generating of random "challenge" tokens that are
associated with the user's current session. These challenge tokens are then inserted within
the HTML forms and links associated with sensitive server-side operations. When the user
wishes to invoke these sensitive operations, the HTTP request should include this challenge token.
It is then the responsibility of the server application to verify the existence and correctness
of this token.
Source: OWASP Cheat Sheet
Configure application to use crumb
Ensure all POST requests in the api enforce crumb validation.
Configure Crumb
Crumb combats CSRF (Cross Site Request Forgery) using crumb generation and validation. See CSRF Prevention Cheat Sheet for more details about CSRF and tokens. By default hapijs/crumb adds a crumb token to every view context. This allows for the token to be placed into forms and validated ensuring each request is from the proper user session.
After configuring the application to use lout, route documentation can be viewed at: localhost:8001/docs.
100% test coverage required
Assignment Helps
Most crumb usage modeled after npm/newww
Assignment Due July 29, 2015