CRSF protection middleware.
By default this middleware generates a token named "_csrf"
which should be added to requests which mutate
state, within a hidden form field, query-string etc. This
token is validated against the visitor's req.session._csrf
property.
The default value function checks req.body generated
by the bodyParser() middleware, req.query generated
by query(), and the "X-CSRF-Token" header field.
This middleware requires session support, thus should be added
somewhere below session() and cookieParser().
Options
value a function accepting the request, returning the token
Object options
Source
module.exports = function csrf(options) {
var options = options || {}
, value = options.value || defaultValue;
return function(req, res, next){
// generate CSRF token
var token = req.session._csrf || (req.session._csrf = utils.uid(24));
// ignore these methods
if ('GET' == req.method || 'HEAD' == req.method || 'OPTIONS' == req.method) return next();
// determine value
var val = value(req);
// check
if (val != token) return next(utils.error(403));
next();
}
};
defaultValue()
Default value function, checking the req.body
and req.query for the CSRF token.
IncomingMessage req
returns String
Source
function defaultValue(req) {
return (req.body && req.body._csrf)
|| (req.query && req.query._csrf)
|| (req.headers['x-csrf-token']);
}
查看更多关于Anti CSRF - 网站安全 - 自学php的详细内容...