- Notifications
You must be signed in to change notification settings - Fork1
CSRF prevention for Revel framework.
License
atcoder/revel-csrf
Folders and files
| Name | Name | Last commit message | Last commit date | |
|---|---|---|---|---|
Repository files navigation
VERY IMPORTANT: this project is not maintained anymore, look for alternatives or forks if you need
IMPORTANT: consider switching to github.com/revel/modules
revel-csrf implements Cross-Site Request Forgery (CSRF) attacksprevention for theRevel framework.
Code is based on thenosurf package implemented byJustinas Stankevičius.
go get github.com/cbonello/revel-csrfA demo application is provided in the samples directory. To launch it:
revel run github.com/cbonello/revel-csrf/samples/demoRevel-csrf supports following configuration options inapp.conf:
csrf.ajaxA boolean value that indicates whether or notrevel-csrfshould support the injection and verification of CSRF tokens for XMLHttpRequests. Default value isfalse.csrf.token.lengthAn integer value that defines the number of characters that should be found within CSRF tokens. Token length should be in [32..512] and default value is 32 characters.
Simply call the CSRFFilter() filter inapp/init.go.
package appimport ( "github.com/cbonello/revel-csrf" "github.com/revel/revel")func init() { // Filters is the default set of global filters. revel.Filters = []revel.Filter{ revel.PanicFilter, // Recover from panics and display an error page instead. revel.RouterFilter, // Use the routing table to select the right Action revel.FilterConfiguringFilter, // A hook for adding or removing per-Action filters. revel.ParamsFilter, // Parse parameters into Controller.Params. revel.SessionFilter, // Restore and write the session cookie. revel.FlashFilter, // Restore and write the flash cookie. csrf.CSRFFilter, // CSRF prevention. revel.ValidationFilter, // Restore kept validation errors and save new ones from cookie. revel.I18nFilter, // Resolve the requested language revel.InterceptorFilter, // Run interceptors around the action. revel.ActionInvoker, // Invoke the action. }}Insert a hidden input field namedcsrf_token in your forms.
<form action="/Hello" method="POST"> <input type="text" name="name" /> <input type="hidden" name="csrf_token" value="{{ .csrf_token }}" /> <button type="submit">Send</button></form>Javascript-code sample to perform AJAX calls with jQuery 1.5 and newer.
function csrfSafeMethod(method) { // HTTP methods that do not require CSRF protection. return (/^(GET|HEAD|OPTIONS|TRACE)$/.test(method));}$.ajaxSetup({ crossDomain: false, beforeSend: function(xhr, settings) { if (!csrfSafeMethod(settings.type)) { xhr.setRequestHeader("X-CSRFToken", {{ .csrf_token }}); } }});$("#AJAXForm").submit(function(event){event.preventDefault(); $.ajax({ type: "POST", url: "/Hello", data: { name: $("#AJAXFormName").val() }, success: function(data) { // Switch to HTML code returned by server on success. jQuery("body").html(data); }, error: function(jqXHR, status, errorThrown) { alert(jqXHR.statusText); }, });});You can callcsrf.ExemptedFullPath() orcsrf.ExemptedGlob() to exempt routes from CSRF checks. Seeapp/init.go in demo application.
- Unique token per-page.
- Test cases.
- Otto Bretz
- Allen Dang
About
CSRF prevention for Revel framework.
Resources
License
Uh oh!
There was an error while loading.Please reload this page.
Stars
Watchers
Forks
Releases
Packages0
Languages
- Go100.0%