Addressing Cross-Site Request Forgery (CSRF) attacks
CSRF attacks are similar to XSS attacks in that both occur across multiple sites. In a CSRF attack, malicious software forges a bogus request on another site. To prevent such an attack, CSRF tokens are generated for each page view, are included as hidden values in HTML FORMs, and then checked when the FORM is submitted. A mismatch on the tokens causes the request to be denied.
The csurf
package is designed to be used with Express https://www.npmjs.com/package/csurf In the notes
directory, run this:
$ npm install csurf --save
Then install the middleware like so:
import csrf from 'csurf'; ... app.use(cookieParser()); app.use(csrf({ cookie: true }));
The csurf
middleware must be installed following the cookieParser
middleware.
Next, for every page that includes a FORM, we must generate and send a token with the page. That requires two things, in the res.render
call we generate the token, and then in the view template we include the token as a...