Incorrect Questions (Production)

Content Services Team (Production)

$opt_dummy_attribute

Non-Student Users

Handshake Pilot (Prod)

Anonymous Users

Pro Lite GTM (Production)

Admin Users

Optimizely Test Users

Billing Update Modal (Production)

Author Users

Anon and Registered Users, Excluding CFB Users

Free Users

Non-India Users

Optimizely-Generated Audience for Backwards Compatibility

student

anonymous

admin

optimizely_test_user

author

free

Preventing Cross-Site Scripting (XSS) Attacks

Preventing Cross-Site Request Forgery (CSRF) Attacks

Preventing SQL Injection Attacks

Defensive Coding in Javascript

Remediation and Incident Response

Common Attacks on Web Applications

Bridge your front-end and back-end knowledge. Learn how to build secure full-stack applications and underlying operating system fundamentals

Full-Stack Development

Cross-Site Request Forgery is a serious vulnerability that results from poor session management. If the requests sent by an application aren’t unique, it’s possible for an attacker to craft a special request and send that to a user. If the user interacts with the crafted request, and sessions aren’t handled properly, an attacker may be able to assume the session identity of that user and carry out requests on their behalf.

In many cases of CSRF, a malicious actor crafts a URL embedded with a request like so:

http://bank.com/send?recipient=Stranger&amount=2000

Cross-Site Request Forgery (CSRF)

Cross-Site Request Forgery (CSRF) attacks are relatively easy to mitigate. One of the simplest ways to accomplish this is through the use of CSRF tokens, which are unique values dynamically generated by a server-side application and sent to the client. Since these values are unique for every request, and constantly changing, it is nearly impossible for an attacker to pre-create the URLs/requests for an attack.

Preventing CSRF Attacks

The npm package, [`csurf`](https://www.npmjs.com/package/csurf), protects Node.js express applications from CSRF attacks by providing middleware functions to send and process CSRF tokens with web requests. Because the CSRF tokens need to be stored in either a cookie or a session, we can configure the express app to use the [`cookie-parser`](http://expressjs.com/en/resources/middleware/cookie-parser.html) module.

const express = require('express');
const cookieParser = require('cookie-parser');
const csurf = require('csurf');
const app = express();

const csrfMiddleware = csurf ({
  cookie: {
    maxAge: 300000000,
    secure: true
  }
});

app.use(cookieParser);
app.use(csrfMiddleware);

Configuring `csurf`

Once the `csurf` module is configured, its functions are available on all Express `get`, `post`, and `all` routes. In this code, `req.csrfToken()` generates the CSRF token which we pass to the `render()` function to allow the client’s browser to access the token.
```js
app.get('/form', (req, res) => {
  res.render('formTemplate', { csrfToken: req.csrfToken() });
});
```


It is common practice to place the CSRF token as a [`hidden <input>`](https://developer.mozilla.org/en-US/docs/Web/HTML/Element/input/hidden) field within a form to submit it automatically with the contents of the form.

<form action="/submit" method="POST">
   <input type="hidden" name="_csrf" value="<%= csrfToken %>" />
   <label for="body">Enter message: </label>
   <input id="body" name="message" type="text" />
   <input type="submit" value="Submit" />
</form>

Generating CSRF tokens with `csurf`

Explore common threats that web applications face and how to mitigate them.

Preventing Cross-Site Request Forgery (CSRF) Attacks

Cross-Site Request Forgery (CSRF)

Preventing CSRF Attacks

Configuring `csurf`

Generating CSRF tokens with `csurf`

Resources

Support

Resources

Support

Plans

Community

Subjects

Languages

Career building

Mobile

Mobile

Preventing Cross-Site Request Forgery (CSRF) Attacks

Cross-Site Request Forgery (CSRF)

Preventing CSRF Attacks

Configuring csurf

Generating CSRF tokens with csurf

Configuring `csurf`

Generating CSRF tokens with `csurf`