Great job! You’ve hardened a web form using the
csurf module to implement CSRF tokens. With the CSRF middleware functions configured at the router level, it is easy to harden forms on any page as long as the CSRF token is included in the view of the form.
These are the main steps we covered in this lesson:
- Setting up the CSURF middleware in our code and specifying CSRF tokens be stored in cookies
- Using CSURF to generate a CSRF token
- Putting a hidden input of the CSRF token in the HTML form
- Handling the case where the form input CSRF token doesn’t match the one generated by the server
On the workspace is a secured form. Try submitting the form, and you will see the CSRF token value that is submitted with the form data. In a terminal, try to
POST data to the form endpoint without the CSRF token and you will see an error!
To run the application, type
node app.js into the bash Terminal and then refresh the mini browser.
Note: The way that the workspace interacts with stored cookies may be affected by your browser’s security settings. Please try using Chrome or Firefox for best results.
Start the server by running
node app.js. Then open a new Bash terminal and try posting data to the endpoint using the following CuRL command:
curl -X POST -d "message=Okay!" http://localhost:4001/submit
Then try submitting a status through the web form and you should see a successful post and the CSRF token that was submitted!