Documentation ¶
Overview ¶
Package nosurf implements an HTTP handler that mitigates Cross-Site Request Forgery Attacks.
Index ¶
- Constants
- Variables
- func NewPure(handler http.Handler) http.Handler
- func Reason(req *http.Request) error
- func Token(req *http.Request) string
- func VerifyToken(realToken, sentToken string) bool
- type CSRFHandler
- func (h *CSRFHandler) ExemptFunc(fn func(r *http.Request) bool)
- func (h *CSRFHandler) ExemptGlob(pattern string)
- func (h *CSRFHandler) ExemptGlobs(patterns ...string)
- func (h *CSRFHandler) ExemptPath(path string)
- func (h *CSRFHandler) ExemptPaths(paths ...string)
- func (h *CSRFHandler) ExemptRegexp(re interface{})
- func (h *CSRFHandler) ExemptRegexps(res ...interface{})
- func (h *CSRFHandler) IsExempt(r *http.Request) bool
- func (h *CSRFHandler) RegenerateToken(w http.ResponseWriter, r *http.Request) string
- func (h *CSRFHandler) ServeHTTP(w http.ResponseWriter, r *http.Request)
- func (h *CSRFHandler) SetBaseCookie(cookie http.Cookie)
- func (h *CSRFHandler) SetFailureHandler(handler http.Handler)
Constants ¶
const ( // the name of CSRF cookie CookieName = "csrf_token" // the name of the form field FormFieldName = "csrf_token" // the name of CSRF header HeaderName = "X-CSRF-Token" // the HTTP status code for the default failure handler FailureCode = 400 // Max-Age in seconds for the default base cookie. 365 days. MaxAge = 365 * 24 * 60 * 60 )
Variables ¶
var ( ErrNoReferer = errors.New("A secure request contained no Referer or its value was malformed") ErrBadReferer = errors.New("A secure request's Referer comes from a different Origin" + " from the request's URL") ErrBadToken = errors.New("The CSRF token in the cookie doesn't match the one" + " received in a form/header.") )
reasons for CSRF check failures
Functions ¶
func Reason ¶
Reason takes an HTTP request and returns the reason of failure of the CSRF check for that request
Note that the same availability restrictions apply for Reason() as for Token().
func Token ¶
Token takes an HTTP request and returns the CSRF token for that request or an empty string if the token does not exist.
Note that the token won't be available after CSRFHandler finishes (that is, in another handler that wraps it, or after the request has been served)
func VerifyToken ¶
VerifyToken verifies the sent token equals the real one and returns a bool value indicating if tokens are equal. Supports masked tokens. realToken comes from Token(r) and sentToken is token sent unusual way.
Types ¶
type CSRFHandler ¶
type CSRFHandler struct {
// contains filtered or unexported fields
}
func New ¶
func New(handler http.Handler) *CSRFHandler
Constructs a new CSRFHandler that calls the specified handler if the CSRF check succeeds.
func (*CSRFHandler) ExemptFunc ¶
func (h *CSRFHandler) ExemptFunc(fn func(r *http.Request) bool)
func (*CSRFHandler) ExemptGlob ¶
func (h *CSRFHandler) ExemptGlob(pattern string)
Exempts URLs that match the specified glob pattern (as used by filepath.Match()) from CSRF checks
Note that ExemptGlob() is unable to detect syntax errors, because it doesn't have a path to check it against and filepath.Match() doesn't report an error if the path is empty. If we find a way to check the syntax, ExemptGlob MIGHT PANIC on a syntax error in the future. ALWAYS check your globs for syntax errors.
func (*CSRFHandler) ExemptGlobs ¶
func (h *CSRFHandler) ExemptGlobs(patterns ...string)
A variadic argument version of ExemptGlob()
func (*CSRFHandler) ExemptPath ¶
func (h *CSRFHandler) ExemptPath(path string)
Exempts an exact path from CSRF checks With this (and other Exempt* methods) you should take note that Go's paths include a leading slash.
func (*CSRFHandler) ExemptPaths ¶
func (h *CSRFHandler) ExemptPaths(paths ...string)
A variadic argument version of ExemptPath()
func (*CSRFHandler) ExemptRegexp ¶
func (h *CSRFHandler) ExemptRegexp(re interface{})
Accepts a regular expression string or a compiled *regexp.Regexp and exempts URLs that match it from CSRF checks.
If the given argument is neither of the accepted values, or the given string fails to compile, ExemptRegexp() panics.
func (*CSRFHandler) ExemptRegexps ¶
func (h *CSRFHandler) ExemptRegexps(res ...interface{})
A variadic argument version of ExemptRegexp()
func (*CSRFHandler) IsExempt ¶
func (h *CSRFHandler) IsExempt(r *http.Request) bool
Checks if the given request is exempt from CSRF checks. It checks the ExemptFunc first, then the exact paths, then the globs and finally the regexps.
func (*CSRFHandler) RegenerateToken ¶
func (h *CSRFHandler) RegenerateToken(w http.ResponseWriter, r *http.Request) string
Generates a new token, sets it on the given request and returns it
func (*CSRFHandler) ServeHTTP ¶
func (h *CSRFHandler) ServeHTTP(w http.ResponseWriter, r *http.Request)
func (*CSRFHandler) SetBaseCookie ¶
func (h *CSRFHandler) SetBaseCookie(cookie http.Cookie)
Sets the base cookie to use when building a CSRF token cookie This way you can specify the Domain, Path, HttpOnly, Secure, etc.
func (*CSRFHandler) SetFailureHandler ¶
func (h *CSRFHandler) SetFailureHandler(handler http.Handler)
Sets the handler to call in case the CSRF check fails. By default it's defaultFailureHandler.