Key Concepts

Review core concepts you need to learn to master this subject

Cross-Site Request Forgery (CSRF)

In many cases of CSRF, a malicious actor crafts a URL embedded with a request like so: http://bank.com/send?recipient=Stranger&amount=2000

Cross-Site Request Forgery is a serious vulnerability that results from poor session management. If the requests sent by an application aren’t unique, it’s possible for an attacker to craft a special request and send that to a user. If the user interacts with the crafted request, and sessions aren’t handled properly, an attacker may be able to assume the session identity of that user and carry out requests on their behalf.

Preventing Cross-Site Request Forgery (CSRF) Attacks
Lesson 1 of 1
  1. 1
    The web can be a dangerous place, and, as developers, we have to be aware of vulnerabilities and do our best to protect our applications against malicious actors. One of the common vulnerabilities …
  2. 2
    csurf is an open-source library for implementing CSRF protection for Node.js. The module is maintained by the Express.js team and provides middleware functions to help our web application send and …
  3. 3
    The csurf module stores CSRF tokens within a cookie or in session. This requires either a session or cookie parser to be initialized first…
  4. 4
    After including the dependencies for csurf, we can declare a variable named csrfMiddleware and create an instance of csurf. When instantiating csurf we provide options to the cookie in order to c…
  5. 5
    When configuring csurf using app.use, the functions and values are available on all Express get, post, and all routes. The middleware function is configured at the application level and will be cal…
  6. 6
    We’ve now set up the CSRF middleware on the backend and generated a CSRF token that will be stored on the cookie. In order to actually validate whether a token is valid, we need to make sure the CS…
  7. 7
    That’s it! The form is now protected from CSRF attacks with csurf. What happens in the case of an invalid CSRF token or none in a user request? CSURF will sense an error. It’ll respond with this ug…
  8. 8
    Great job! You’ve hardened a web form using the csurf module to implement CSRF tokens. With the CSRF middleware functions configured at the router level, it is easy to harden forms on any page as l…

What you'll create

Portfolio projects that showcase your new skills

Pro Logo

How you'll master it

Stress-test your knowledge with quizzes that help commit syntax to memory

Pro Logo