README(3pm) | User Contributed Perl Documentation | README(3pm) |
Plack::Middleware::CSRFBlock - Block CSRF Attacks with minimal changes to your app
version 0.10
use Plack::Builder; my $app = sub { ... } builder { enable 'Session'; enable 'CSRFBlock'; $app; }
This middleware blocks CSRF. You can use this middleware without any modifications to your application, in most cases. Here is the strategy:
<html> <head> <title>input form</title> </head> <body> <form action="/api" method="post"> <input type="text" name="email" /><input type="submit" /> </form> </html>
This becomes:
<html> <head> <title>input form</title> </head> <body> <form action="/api" method="post"><input type="hidden" name="SEC" value="0f15ba869f1c0d77" /> <input type="text" name="email" /><input type="submit" /> </form> </html>
This affects "form" tags with "method="post"", case insensitive.
It is possible to add an optional meta tag by setting "meta_tag" to a defined value. The 'name' attribute of the HTML tag will be set to the value of "meta_tag". For the previous example, when "meta_tag" is set to 'csrf_token', the output will be:
<html> <head><meta name="csrf_token" content="0f15ba869f1c0d77"/> <title>input form</title> </head> <body> <form action="/api" method="post"><input type="hidden" name="SEC" value="0f15ba869f1c0d77" /> <input type="text" name="email" /><input type="submit" /> </form> </html>
Supports "application/x-www-form-urlencoded" and "multipart/form-data" for input parameters, but any "POST" will be validated with the "X-CSRF-Token" header. Thus, every "POST" will have to have either the header, or the appropriate form parameters in the body.
$(document).ajaxSend(function(e, xhr, options) { var token = $("meta[name='csrftoken']").attr("content"); xhr.setRequestHeader("X-CSRF-Token", token); });
This will include the X-CSRF-Token header with any "AJAX" requests made from your javascript.
use Plack::Builder; my $app = sub { ... } builder { enable 'Session'; enable 'CSRFBlock', parameter_name => 'csrf_secret', token_length => 20, session_key => 'csrf_token', blocked => sub { [302, [Location => 'http://www.google.com'], ['']]; }, onetime => 0, ; $app; }
Note: This application can read posted data, but DO NOT use them!
This makes your applications more secure, but in many cases, is too strict.
Plack::Middleware::Session
This software is copyright (c) 2014 by the Authors of Plack-Middleware-CSRFBlock.
This is free software; you can redistribute it and/or modify it under the same terms as the Perl 5 programming language system itself.
2016-10-29 | perl v5.24.1 |