Node.js – Protection against Cross-site request forgery (CSRF, XSRF)

 

 

Cross-site request forgery, also known as one-click attack or session riding and abbreviated as CSRF (sometimes pronounced sea-surf) or XSRF, is a type of malicious exploit of a website where unauthorized commands are transmitted from a user that the website trusts. Unlike cross-site scripting (XSS), which exploits the trust a user has for a particular site, CSRF exploits the trust that a site has in a user’s browser. (source wikipedia)

CSRF_UX_general_Flip

Express.js Framework provides middlware csurf (https://github.com/maxprog/csurf) to protect from CSRF attack.

Description csurf:

csurf – Node.js CSRF protection middleware.

Requires either a session middleware or cookie-parser to be initialized first.

If you have questions on how this module is implemented, please read Understanding CSRF.

Installation

$ npm install csurf

API

var csurf = require('csurf')

csurf([options])

Create a middleware for CSRF token creation and validation. This middleware adds a req.csrfToken() function to make a token which should be added to requests which mutate state, within a hidden form field, query-string etc. This token is validated against the visitor’s session or csrf cookie.

Options

The csurf function takes an optional options object that may contain any of the following keys:

cookie

Determines if the token secret for the user should be stored in a cookie or in req.session. Defaults to false.

When set to true (or an object of options for the cookie), then the module changes behavior and no longer usesreq.session. This means you are no longer required to use a session middleware. Instead, you do need to use the cookie-parser middleware in your app before this middleware.

When set to an object, cookie storage of the secret is enabled and the object contains options for this functionality (when set to true, the defaults for the options are used). The options may contain any of the following keys:

  • key – the name of the cookie to use to store the token secret (defaults to '_csrf').
  • path – the path of the cookie (defaults to '/').
  • any other res.cookie option can be set.
ignoreMethods

An array of the methods for which CSRF token checking will disabled. Defaults to ['GET', 'HEAD', 'OPTIONS'].

sessionKey

Determines what property (“key”) on req the session object is located. Defaults to 'session' (i.e. looks at req.session). The CSRF secret from this library is stored and read as req[sessionKey].csrfSecret.

If the “cookie” option is not false, then this option does nothing.

value

Provide a function that the middleware will invoke to read the token from the request for validation. The function is called asvalue(req) and is expected to return the token as a string.

The default value is a function that reads the token from the following locations, in order:

  • req.body._csrf – typically generated by the body-parser module.
  • req.query._csrf – a built-in from Express.js to read from the URL query string.
  • req.headers['csrf-token'] – the CSRF-Token HTTP request header.
  • req.headers['xsrf-token'] – the XSRF-Token HTTP request header.
  • req.headers['x-csrf-token'] – the X-CSRF-Token HTTP request header.
  • req.headers['x-xsrf-token'] – the X-XSRF-Token HTTP request header.

Example

Simple express example

The following is an example of some server-side code that generates a form that requires a CSRF token to post back.

var cookieParser = require('cookie-parser')
var csrf = require('csurf')
var bodyParser = require('body-parser')
var express = require('express')

// setup route middlewares
var csrfProtection = csrf({ cookie: true })
var parseForm = bodyParser.urlencoded({ extended: false })

// create express app
var app = express()

// parse cookies
// we need this because "cookie" is true in csrfProtection
app.use(cookieParser())

app.get('/form', csrfProtection, function(req, res) {
  // pass the csrfToken to the view
  res.render('send', { csrfToken: req.csrfToken() })
})

app.post('/process', parseForm, csrfProtection, function(req, res) {
  res.send('data is being processed')
})

Inside the view (depending on your template language; handlebars-style is demonstrated here), set the csrfToken value as the value of a hidden input field named _csrf:

<form action="/process" method="POST">
  <input type="hidden" name="_csrf" value="{{csrfToken}}">

  Favorite color: <input type="text" name="favoriteColor">
  <button type="submit">Submit</button>
</form>

Ignoring Routes

Note CSRF checks should only be disabled for requests that you expect to come from outside of your website. Do not disable CSRF checks for requests that you expect to only come from your website. An existing session, even if it belongs to an authenticated user, is not enough to protect against CSRF attacks.

The following is an example of how to order your routes so that certain endpoints do not check for a valid CSRF token.

var cookieParser = require('cookie-parser')
var csrf = require('csurf')
var bodyParser = require('body-parser')
var express = require('express')

// create express app
var app = express()

// create api router
var api = createApiRouter()

// mount api before csrf is appended to the app stack
app.use('/api', api)

// now add csrf and other middlewares, after the "/api" was mounted
app.use(bodyParser.urlencoded({ extended: false }))
app.use(cookieParser())
app.use(csrf({ cookie: true }))

app.get('/form', function(req, res) {
  // pass the csrfToken to the view
  res.render('send', { csrfToken: req.csrfToken() })
})

app.post('/process', function(req, res) {
  res.send('csrf was required to get here')
})

function createApiRouter() {
  var router = new express.Router()

  router.post('/getProfile', function(req, res) {
    res.send('no csrf to get here')
  })

  return router
}

Custom error handling

When the CSRF token validation fails, an error is thrown that has err.code === 'EBADCSRFTOKEN'. This can be used to display custom error messages.

var bodyParser = require('body-parser')
var cookieParser = require('cookie-parser')
var csrf = require('csurf')
var express = require('express')

var app = express()
app.use(bodyParser.urlencoded({ extended: false }))
app.use(cookieParser())
app.use(csrf({ cookie: true }))

// error handler
app.use(function (err, req, res, next) {
  if (err.code !== 'EBADCSRFTOKEN') return next(err)

  // handle CSRF token errors here
  res.status(403)
  res.send('form tampered with')
})

source comes from https://github.com/maxprog/csurf

May 13th, 2016

  • Great post. I used to be checking constantly this web site and I’m impressed!
    Extremely helpful information particularly the past part 🙂 I take care
    of such info much. I used to be seeking this particular
    info for the very long time. Many thanks and all the best..

  • Great post. I used to be checking constantly this web site and I’m impressed!
    Extremely helpful information particularly the past part 🙂 I take care
    of such info much. I used to be seeking this particular
    info for the very long time. Many thanks and all the best..

  • I think other website proprietors should take this web site
    as an model, very clean and wonderful user friendly style and design,
    lett alone thhe content. You are an expert in this topic!.

  • I enjoy you because of each of your work on this blog. Kim really likes working on research and it’s really simple to grasp why. I learn all about the powerful medium you present very important things by means of this blog and therefore cause response from people about this article while our girl is studying a whole lot. Have fun with the rest of the year. Your doing a first class job..

  • Whats up! I just want to give an enormous thumbs up for the great information you might have here on this post. I will likely be coming back to your weblog for extra soon..