xsrfhtml

package
v0.0.0-...-7bfb722 Latest Latest
Warning

This package is not in the latest version of its module.

 Go to latest Published: Dec 19, 2024 License: Apache-2.0 Imports: 7 Imported by: 2

Documentation

Overview

Package xsrfhtml provides a safehttp.Interceptor that ensures Cross-Site Request Forgery by verifying the incoming requests for the presence of an XSRF token, rejecting those requests that are suspected to be part of an attack.

Index

Constants

View Source 
const (
	// TokenKey is the form key used when sending the token as part of POST
	// request.
	TokenKey = "xsrf-token"
)

Variables

This section is empty.

Functions

This section is empty.

Types

type Interceptor 

type Interceptor struct {
	// SecretAppKey uniquely identifies each registered service and should have
	// high entropy as it is used for generating the XSRF token.
	SecretAppKey string
}

Interceptor implements XSRF protection.

func (*Interceptor) Before 

func (it *Interceptor) Before(w safehttp.ResponseWriter, r *safehttp.IncomingRequest, _ safehttp.InterceptorConfig) safehttp.Result

Before checks for the presence of a XSRF token in the body of state changing requests (all except GET, HEAD and OPTIONS) and validates it.

func (*Interceptor) Commit 

func (it *Interceptor) Commit(w safehttp.ResponseHeadersWriter, r *safehttp.IncomingRequest, resp safehttp.Response, _ safehttp.InterceptorConfig)

Commit adds XSRF protection in the response, so the interceptor can distinguish between subsequent requests coming from an authorized user and requests that are potentially part of a Cross-Site Request Forgery attack.

On first user visit through a state preserving request (GET, HEAD or OPTIONS), a nonce-based cookie is set in the response as a way to distinguish between users and prevent pre-login XSRF attacks. The cookie is then used in the token generation and verification algorithm and is expected to be present in all subsequent incoming requests.

For every authorized request, the interceptor also generates a cryptographically-safe XSRF token using the appKey, the cookie and the path visited. This is then injected as a hidden input field in HTML forms.

func (*Interceptor) Match 

func (*Interceptor) Match(safehttp.InterceptorConfig) bool

Match returns false since there are no supported configurations.

Source Files

View all Source files

Jump to

Keyboard shortcuts

? : This menu
/ : Search site
f or F : Jump to
y or Y : Canonical URL
go.dev uses cookies from Google to deliver and enhance the quality of its services and to analyze traffic. Learn more.