README
¶
gear-csrf
CSRF middleware for Gear.
Installation
go get -u github.com/teambition/gear-csrf
Usage
import (
csrf "github.com/teambition/gear-csrf"
)
app := gear.New()
// Enable the CSRF checking.
app.Use(csrf.New(csrf.Options{
Skipper: func(ctx *gear.Context) bool {
switch ctx.Method {
// Disable the checking when request method is GET, HEAD or OPTIONS.
case http.MethodGet, http.MethodHead, http.MethodOptions:
return true
default:
return false
}
},
CookieOptions: &http.Cookie{Secure: true, HttpOnly: true},
}))
app.Use(func(ctx *gear.Context) (err error) {
// Add the CSRF token in your template forms.
ctx.Render(http.StatusOK, "./path/to/your/teamplate", csrf.GetTokenFromCtx(ctx))
return
})
How it works
gear-csrf uses a CSRF token to prevent the CSRF attack. A CSRF token is generated by a user secret and a salt. The user secret is shared by the user's client and the web server by cookie and then you should ensure every way to get the CSRF token in your web server application should not support CORS. So the attacker will not be able to get your CSRF token by his user secret. The salt here is used to prevent BREACH attack.
Documentation
The docs can be found at godoc.org, as usual.
License
MIT
Documentation
¶
Overview ¶
Example ¶
package main
import (
"net/http"
"github.com/teambition/gear"
csrf "github.com/teambition/gear-csrf"
)
func main() {
app := gear.New()
// Enable the CSRF checking.
app.Use(csrf.New(csrf.Options{
Skipper: func(ctx *gear.Context) bool {
switch ctx.Method {
// Disable the CSRF checking when request method is GET, HEAD or OPTIONS.
case http.MethodGet, http.MethodHead, http.MethodOptions:
return true
default:
return false
}
},
CookieOptions: &http.Cookie{Secure: true, HttpOnly: true},
}))
app.Use(func(ctx *gear.Context) (err error) {
// Add the CSRF token in your template forms.
ctx.Render(http.StatusOK, "./path/to/your/teamplate", csrf.GetTokenFromCtx(ctx))
return
})
}
Output:
Index ¶
Examples ¶
Constants ¶
This section is empty.
Variables ¶
This section is empty.
Functions ¶
func GetTokenFromCtx ¶
GetTokenFromCtx returns a CSRF token. It will set a user secret in request cookie if it not exists.
func New ¶
func New(opts Options) gear.Middleware
New returns a new CSRF middleware to prevent your Gear app from CSRF attack.
Types ¶
type Options ¶
type Options struct {
// Skipper checks whether this request should be
// checked its CSRF token by this middleware. If you
// want the request to skip this middleware, just make
// the function return true.
Skipper func(*gear.Context) bool
// InvalidTokenStatusCode is the returned HTTP status code
// when the request CSRF token is invalid. By default it is
// 403 .
InvalidTokenStatusCode int
// InvalidTokenMessage is the returned message
// when the request CSRF token is invalid. By default it is
// "Invalid CSRF token" .
InvalidTokenMessage string
// TokenFormKey is the key in your form to extract the CSRF
// token from your request. By default it is "csrf_token".
TokenFormKey string
// TokenHeader is the name of the request header to extract
// the CSRF token.By default it is "X-CSRF-Token" .
TokenHeader string
// CookieOptions is the options of the secret cookie.It's type
// is *http.Cookie so you can set every field of http.Cookie type
// but Name and Value. They are reserved for storing the secret
// key/value.
CookieOptions *http.Cookie
}
Options is the CSRF middleware options.
Source Files
Directories