The csurf module stores CSRF tokens within a cookie or in session. This requires either a session or cookie parser to be initialized first. If you are unable to store secrets securely on the server, it is preferred to store the CSRF token using a cookie. Throughout the lesson, we will store our CSRF token inside a cookie.

cookie-parser is a module that is maintained by the Express.js team. The module can also be installed from the npm registry. The module can be included in the application using require():

const cookieParser = require('cookie-parser');

The Express application must be configured to use the cookie parser before the csurf module. Enable the cookie parser module in the application to work at the application level by including the following line early in the application code.


Note: csurf can alternatively store the CSRF token value within a session. However, session management must be set up using express-session.



Include the cookie-parser module in app.js inside a variable named cookieParser.

Press the Check Work button to check your work after each checkpoint.


Configure the app to use the cookieParser() middleware at the application level using app.use().

Sign up to start coding

Mini Info Outline Icon
By signing up for Codecademy, you agree to Codecademy's Terms of Service & Privacy Policy.

Or sign up using:

Already have an account?