gorilla/csrfPublic

NotificationsYou must be signed in to change notification settings
Fork156
Star1.1k

Package gorilla/csrf provides Cross Site Request Forgery (CSRF) prevention middleware for Go web applications & services 🔒

License

BSD-3-Clause license

1.1k stars 156 forks Branches Tags Activity

Star

Notifications

You must be signed in to change notification settings

Branches Tags

Folders and files

Name		Name	Last commit message	Last commit date
Latest commit History 111 Commits
.github/workflows		.github/workflows
examples		examples
vendor		vendor
.editorconfig		.editorconfig
.gitignore		.gitignore
Gopkg.lock		Gopkg.lock
Gopkg.toml		Gopkg.toml
LICENSE		LICENSE
Makefile		Makefile
README.md		README.md
context.go		context.go
csrf.go		csrf.go
csrf_test.go		csrf_test.go
doc.go		doc.go
go.mod		go.mod
go.sum		go.sum
helpers.go		helpers.go
helpers_test.go		helpers_test.go
options.go		options.go
options_test.go		options_test.go
store.go		store.go
store_legacy.go		store_legacy.go
store_legacy_test.go		store_legacy_test.go
store_test.go		store_test.go

Repository files navigation

gorilla/csrf

gorilla/csrf is a HTTP middleware library that providescross-site requestforgery (CSRF)protection. It includes:

Thecsrf.Protect middleware/handler provides CSRF protection on routesattached to a router or a sub-router.
Acsrf.Token function that provides the token to pass into your response,whether that be a HTML form or a JSON response body.
... and acsrf.TemplateField helper that you can pass into yourhtml/templatetemplates to replace a{{ .csrfField }} template tag with a hidden inputfield.

gorilla/csrf is designed to work with any Go web framework, including:

TheGorilla toolkit
Go's built-innet/http package
Goji - see thetailored fork
Gin
Echo
... and any other router/framework that rallies around Go'shttp.Handler interface.

gorilla/csrf is also compatible with middleware 'helper' libraries likeAlice andNegroni.

Install

With a properly configured Go toolchain:

go get github.com/gorilla/csrf

Examples

gorilla/csrf is easy to use: add the middleware to your router withthe below:

CSRF:=csrf.Protect([]byte("32-byte-long-auth-key"))http.ListenAndServe(":8000",CSRF(r))

...and then collect the token withcsrf.Token(r) in your handlers beforepassing it to the template, JSON body or HTTP header (see below).

Note that the authentication key passed tocsrf.Protect([]byte(key)) should:

be 32-bytes long
persist across application restarts.
kept secret from potential malicious users - do not hardcode it into the source code, especially not in open-source applications.

Generating a random key won't allow you to authenticate existing cookies and will break your CSRFvalidation.

gorilla/csrf inspects the HTTP headers (first) and form body (second) onsubsequent POST/PUT/PATCH/DELETE/etc. requests for the token.

HTML Forms

Here's the common use-case: HTML forms you want to provide CSRF protection for,in order to protect malicious POST requests being made:

package mainimport ("net/http""github.com/gorilla/csrf""github.com/gorilla/mux")funcmain() {r:=mux.NewRouter()r.HandleFunc("/signup",ShowSignupForm)// All POST requests without a valid token will return HTTP 403 Forbidden.// We should also ensure that our mutating (non-idempotent) handler only// matches on POST requests. We can check that here, at the router level, or// within the handler itself via r.Method.r.HandleFunc("/signup/post",SubmitSignupForm).Methods("POST")// Add the middleware to your router by wrapping it.http.ListenAndServe(":8000",csrf.Protect([]byte("32-byte-long-auth-key"))(r))// PS: Don't forget to pass csrf.Secure(false) if you're developing locally// over plain HTTP (just don't leave it on in production).}funcShowSignupForm(w http.ResponseWriter,r*http.Request) {// signup_form.tmpl just needs a {{ .csrfField }} template tag for// csrf.TemplateField to inject the CSRF token into. Easy!t.ExecuteTemplate(w,"signup_form.tmpl",map[string]interface{}{csrf.TemplateTag:csrf.TemplateField(r),    })// We could also retrieve the token directly from csrf.Token(r) and// set it in the request header - w.Header.Set("X-CSRF-Token", token)// This is useful if you're sending JSON to clients or a front-end JavaScript// framework.}funcSubmitSignupForm(w http.ResponseWriter,r*http.Request) {// We can trust that requests making it this far have satisfied// our CSRF protection requirements.}

Note that the CSRF middleware will (by necessity) consume the request body if thetoken is passed via POST form values. If you need to consume this in yourhandler, insert your own middleware earlier in the chain to capture the requestbody.

JavaScript Applications

This approach is useful if you're using a front-end JavaScript framework likeReact, Ember or Angular, and are providing a JSON API. Specifically, we needto provide a way for our front-end fetch/AJAX calls to pass the token on eachfetch (AJAX/XMLHttpRequest) request. We achieve this by:

Parsing the token from the<input> field generated by thecsrf.TemplateField(r) helper, or passing it back in a response header.
Sending this token back on every request
Ensuring our cookie is attached to the request so that the form/headervalue can be compared to the cookie value.

We'll also look at applying selective CSRF protection usinggorilla/mux's sub-routers,as we don't handle any POST/PUT/DELETE requests with our top-level router.

package mainimport ("github.com/gorilla/csrf""github.com/gorilla/mux")funcmain() {r:=mux.NewRouter()csrfMiddleware:=csrf.Protect([]byte("32-byte-long-auth-key"))api:=r.PathPrefix("/api").Subrouter()api.Use(csrfMiddleware)api.HandleFunc("/user/{id}",GetUser).Methods("GET")http.ListenAndServe(":8000",r)}funcGetUser(w http.ResponseWriter,r*http.Request) {// Authenticate the request, get the id from the route params,// and fetch the user from the DB, etc.// Get the token and pass it in the CSRF header. Our JSON-speaking client// or JavaScript framework can now read the header and return the token in// in its own "X-CSRF-Token" request header on the subsequent POST.w.Header().Set("X-CSRF-Token",csrf.Token(r))b,err:=json.Marshal(user)iferr!=nil {http.Error(w,err.Error(),500)return    }w.Write(b)}

In our JavaScript application, we should read the token from the responseheaders and pass it in a request header for all requests. Here's what thatlooks like when usingAxios, a popularJavaScript HTTP client library:

// You can alternatively parse the response header for the X-CSRF-Token, and// store that instead, if you followed the steps above to write the token to a// response header.letcsrfToken=document.getElementsByName("gorilla.csrf.Token")[0].value// via https://github.com/axios/axios#creating-an-instanceconstinstance=axios.create({baseURL:"https://example.com/api/",timeout:1000,headers:{"X-CSRF-Token":csrfToken}})// Now, any HTTP request you make will include the csrfToken from the page,// provided you update the csrfToken variable for each render.try{letresp=awaitinstance.post(endpoint,formData)// Do something with resp}catch(err){// Handle the exception}

If you plan to host your JavaScript application on another domain, you can use the Trusted Originsfeature to allow the host of your JavaScript application to make requests to your Go application. Observe the example below:

package mainimport ("github.com/gorilla/csrf""github.com/gorilla/mux")funcmain() {r:=mux.NewRouter()csrfMiddleware:=csrf.Protect([]byte("32-byte-long-auth-key"),csrf.TrustedOrigins([]string{"ui.domain.com"}))api:=r.PathPrefix("/api").Subrouter()api.Use(csrfMiddleware)api.HandleFunc("/user/{id}",GetUser).Methods("GET")http.ListenAndServe(":8000",r)}funcGetUser(w http.ResponseWriter,r*http.Request) {// Authenticate the request, get the id from the route params,// and fetch the user from the DB, etc.// Get the token and pass it in the CSRF header. Our JSON-speaking client// or JavaScript framework can now read the header and return the token in// in its own "X-CSRF-Token" request header on the subsequent POST.w.Header().Set("X-CSRF-Token",csrf.Token(r))b,err:=json.Marshal(user)iferr!=nil {http.Error(w,err.Error(),500)return    }w.Write(b)}

On the example above, you're authorizing requests fromui.domain.com to make valid CSRF requests to your application, so you can have your API server on another domain without problems.

Google App Engine

If you're usingGoogle AppEngine,(first-generation) which doesn't allow you to hook into the defaulthttp.ServeMux directly,you can still use gorilla/csrf (and gorilla/mux):

package app// Remember: appengine has its own package mainfuncinit() {r:=mux.NewRouter()r.HandleFunc("/",IndexHandler)// ...// We pass our CSRF-protected router to the DefaultServeMuxhttp.Handle("/",csrf.Protect([]byte(your-key))(r))}

Note: You can ignore this if you're using thesecond-generation Go runtimeon App Engine (Go 1.11 and above).

Setting SameSite

Go 1.11 introduced the option to set the SameSite attribute in cookies. This isvaluable if a developer wants to instruct a browser to not include cookies duringa cross site request. SameSiteStrictMode prevents all cross site requests from includingthe cookie. SameSiteLaxMode prevents CSRF prone requests (POST) from including the cookiebut allows the cookie to be included in GET requests to support external linking.

funcmain() {CSRF:=csrf.Protect(      []byte("a-32-byte-long-key-goes-here"),// instruct the browser to never send cookies during cross site requestscsrf.SameSite(csrf.SameSiteStrictMode),    )r:=mux.NewRouter()r.HandleFunc("/signup",GetSignupForm)r.HandleFunc("/signup/post",PostSignupForm)http.ListenAndServe(":8000",CSRF(r))}

Cookie path

By default, CSRF cookies are set on the path of the request.

This can create issues, if the request is done from one path to a different path.

You might want to set up a root path for all the cookies; that way, the CSRF will always work across all your paths.

    CSRF := csrf.Protect(      []byte("a-32-byte-long-key-goes-here"),      csrf.Path("/"),    )

Setting Options

What about providing your own error handler and changing the HTTP header thepackage inspects on requests? (i.e. an existing API you're porting to Go). Well,gorilla/csrf provides options for changing these as you see fit:

funcmain() {CSRF:=csrf.Protect(            []byte("a-32-byte-long-key-goes-here"),csrf.RequestHeader("Authenticity-Token"),csrf.FieldName("authenticity_token"),csrf.ErrorHandler(http.HandlerFunc(serverError(403))),    )r:=mux.NewRouter()r.HandleFunc("/signup",GetSignupForm)r.HandleFunc("/signup/post",PostSignupForm)http.ListenAndServe(":8000",CSRF(r))}

Not too bad, right?

If there's something you're confused about or a feature you would like to seeadded, open an issue.

Design Notes

Getting CSRF protection right is important, so here's some background:

This library generates unique-per-request (masked) tokens as a mitigationagainst theBREACH attack.
The 'base' (unmasked) token is stored in the session, which means thatmultiple browser tabs won't cause a user problems as their per-request tokenis compared with the base token.
Operates on a "whitelist only" approach where safe (non-mutating) HTTP methods(GET, HEAD, OPTIONS, TRACE) are theonly methods where token validation is notenforced.
The design is based on the battle-testedDjango andRuby onRailsapproaches.
Cookies are authenticated and based on thesecurecookielibrary. They're also Secure (issued over HTTPS only) and are HttpOnlyby default, because sane defaults are important.
Cookie SameSite attribute (prevents cookies from being sent by a browserduring cross site requests) are not set by default to maintain backwards compatibilityfor legacy systems. The SameSite attribute can be set with the SameSite option.
Go'scrypto/rand library is used to generate the 32 byte (256 bit) tokensand the one-time-pad used for masking them.

This library does not seek to be adventurous.