Skip to content

huuzkee-foundation/csrf

BranchesTags

Folders and files

NameName
Last commit message
Last commit date

Latest commit

 

History

3 Commits

example

example

 
 

.gitignore

.gitignore

 
 

.travis.yml

.travis.yml

 
 

LICENSE

LICENSE

 
 

README.md

README.md

 
 

csrfbanana.go

csrfbanana.go

 
 

csrfbanana_test.go

csrfbanana_test.go

 
 

nosurf.go

nosurf.go

 
 

nosurf_test.go

nosurf_test.go

 
 

token.go

token.go

 
 

token_test.go

token_test.go

 
 

util_test.go

util_test.go

 
 

Repository files navigation

CSRFBanana

Build Status Coverage Status GoDoc

CSRF Protection for gorilla/sessions in the Go Language

CSRFBanana is a middleware package that helps prevent cross-site request forgery attacks. The package can generate tokens per session or per page. Tokens can also be regenerated after a successful or failed attempt to validate.

In this package, the CSRF tokens are stored in the (same) session cookie that is handled by gorilla/sessions. You can read about the different CSRF approaches on StackOverflow: Why is it common to put CSRF prevention tokens in cookies?

Usage

Import the package:

import "github.com/josephspurrier/csrfbanana"

Configure the package as middleware:

// Default handler
h := http.HandlerFunc(YourOwnDefaultFunction)

// Insert the CSRFBanana here to prevent CSRF
cs := csrfbanana.New(h, Store, SessionName)

// Set error page for CSRF failures
cs.FailureHandler(http.HandlerFunc(routeInvalidToken))

// Generate a new token after each success/failure (also prevents double submits)
cs.ClearAfterUsage(true)

// Exclude routes like /static/ from token generation/checking
cs.ExcludeRegexPaths([]string{"/static(.*)"})

// Set the token length (default is 32)
csrfbanana.TokenLength = 32

// Set the token name used in the forms and session (default is token)
csrfbanana.TokenName = "token"

// Set the token to generate per page (false - the default) or per session (true)
csrfbanana.SingleToken = false

// Pass the handler to your HTTP server
http.ListenAndServe(":80", cs)

Generate the token before passing to your templates:

// Create a map for the template
vars := make(map[string]string)

// Store the CSRF token to the map
vars["token"] = csrfbanana.Token(w, r, sess)

// Show the template
templ.Execute(w, vars)

Add the token to every POST form that is not excluded by ExcludeRegexPaths():

<input type="hidden" name="token" value="{{.token}}">

Note: Any other POST operation needs to either include the token or be added to ExcludeRegexPaths().

Working Example

To see the example in action, use the following commands:

go get github.com/josephspurrier/csrfbanana/example
go run src/github.com/josephspurrier/csrfbanana/example/example.go

Major Contributions

Thanks to Justinas Stankevičius for his CSRF package which I used as a solid example.

About

csrf

Resources

Readme

License

MIT license
Activity
Custom properties

Stars

0 stars

Watchers

2 watching

Forks

0 forks
Report repository

Releases

No releases published

Packages

No packages published

Languages