back
loading skill details...
>
CSRF Protection
Table of Contents
Overview
When to Use
Quick Start
Reference Guides
Best Practices
Overview
Implement comprehensive Cross-Site Request Forgery protection using synchronizer tokens, double-submit cookies, SameSite cookie attributes, and custom headers.
When to Use
Form submissions
State-changing operations
Authentication systems
Payment processing
Account management
Any POST/PUT/DELETE requests
Quick Start
Minimal working example:
// csrf-protection.js
const crypto = require("crypto");
const csrf = require("csurf");
class CSRFProtection {
constructor() {
this.tokens = new Map();
this.tokenExpiry = 3600000; // 1 hour
}
/**
* Generate CSRF token
*/
generateToken() {
return crypto.randomBytes(32).toString("hex");
}
/**
* Create token for session
*/
createToken(sessionId) {
const token = this.generateToken();
const expiry = Date.now() + this.tokenExpiry;
this.tokens.set(sessionId, {
// ... (see reference guides for full implementation)
Reference Guides
Detailed implementations in the references/ directory:
Guide
Contents
Node.js/Express CSRF Protection
Node.js/Express CSRF Protection
Double Submit Cookie Pattern
Double Submit Cookie Pattern
Python Flask CSRF Protection
Python Flask CSRF Protection
Frontend CSRF Implementation
Frontend CSRF Implementation
Origin and Referer Validation
Origin and Referer Validation
Best Practices
✅ DO
Use CSRF tokens for all state-changing operations
Set SameSite=Strict on cookies
Validate Origin/Referer headers
Use secure, random tokens
Implement token expiration
Use HTTPS only
Include tokens in AJAX requests
Test CSRF protection
❌ DON'T
Skip CSRF for authenticated requests
Use GET for state changes
Trust Origin header alone
Reuse tokens
Store tokens in localStorage
Allow credentials in CORS without validation
1d:[don't have the plugin yet? install it then click "run inline in claude" again.