CsrfMiddleware

actix_csrf_middleware

Struct CsrfMiddleware 

Source 
pub struct CsrfMiddleware { /* private fields */ }
Expand description

Actix Web middleware providing CSRF protection.

Supports two patterns:

  • Double-Submit Cookie (default): a token is stored in a cookie and echoed by the client.
  • Synchronizer Token (with actix-session): a token is stored server-side in the session.

§How It Works

  • For safe methods (GET/HEAD), the middleware ensures a token exists and may set it in cookies. For the Double-Submit Cookie pattern, an anonymous pre-session cookie may be issued before the user is authenticated.
  • For mutating methods (POST/PUT/PATCH/DELETE), a token is required. The middleware accepts tokens from the header DEFAULT_CSRF_TOKEN_HEADER or the body field DEFAULT_CSRF_TOKEN_FIELD for JSON or url-encoded bodies. multipart/form-data is rejected unless CsrfMiddlewareConfig::with_multipart is enabled.
  • On successful validation, the token is rotated.
  • Optional strict Origin/Referer checks can be enabled via CsrfMiddlewareConfig::with_enforce_origin.

§Examples

Double-Submit Cookie (no session middleware required):

use actix_csrf_middleware::{CsrfMiddleware, CsrfMiddlewareConfig, CsrfToken};
use actix_web::{web, App, HttpResponse};

let secret = b"aaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaa"; // >= 32 bytes
let cfg = CsrfMiddlewareConfig::double_submit_cookie(secret);

let app = App::new()
    .wrap(CsrfMiddleware::new(cfg))
    .service(
        web::resource("/form").route(web::get().to(|csrf: CsrfToken| async move {
            Ok::<_, actix_web::Error>(HttpResponse::Ok().body(format!("token:{}", csrf.0)))
        }))
    )
    .service(
        web::resource("/submit").route(web::post().to(|_csrf: CsrfToken| async move {
            Ok::<_, actix_web::Error>(HttpResponse::Ok())
        }))
    );

Synchronizer Token (requires actix-session) example:

use actix_csrf_middleware::{CsrfMiddleware, CsrfMiddlewareConfig};
use actix_session::{storage::CookieSessionStore, SessionMiddleware};
use actix_web::{App, cookie::Key};

let cfg = CsrfMiddlewareConfig::synchronizer_token(b"aaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaa");
let app = App::new()
    .wrap(SessionMiddleware::new(CookieSessionStore::default(), Key::generate()))
    .wrap(CsrfMiddleware::new(cfg));

Implementations§

Source§

impl CsrfMiddleware

Source

pub fn new(config: CsrfMiddlewareConfig) -> Self

Creates a CSRF middleware instance with the given configuration.

See CsrfMiddlewareConfig for available options and examples.

Trait Implementations§

Source§

impl<S, B> Transform<S, ServiceRequest> for CsrfMiddleware
where S: Service<ServiceRequest, Response = ServiceResponse<B>, Error = Error>, B: MessageBody,

Source§

type Response = ServiceResponse<EitherBody<B>>

Responses produced by the service.
Source§

type Error = Error

Errors produced by the service.
Source§

type Transform = CsrfMiddlewareService<S>

The TransformService value created by this factory
Source§

type InitError = ()

Errors produced while building a transform service.
Source§

type Future = Ready<Result<<CsrfMiddleware as Transform<S, ServiceRequest>>::Transform, <CsrfMiddleware as Transform<S, ServiceRequest>>::InitError>>

The future response value.
Source§

fn new_transform(&self, service: S) -> Self::Future

Creates and returns a new Transform component, asynchronously

Auto Trait Implementations§

Blanket Implementations§

Source§

impl<T> Any for T
where T: 'static + ?Sized,

Source§

fn type_id(&self) -> TypeId

Gets the TypeId of self. Read more
Source§

impl<T> Borrow<T> for T
where T: ?Sized,

Source§

fn borrow(&self) -> &T

Immutably borrows from an owned value. Read more
Source§

impl<T> BorrowMut<T> for T
where T: ?Sized,

Source§

fn borrow_mut(&mut self) -> &mut T

Mutably borrows from an owned value. Read more
Source§

impl<T> From<T> for T

Source§

fn from(t: T) -> T

Returns the argument unchanged.

Source§

impl<T> Instrument for T

Source§

fn instrument(self, span: Span) -> Instrumented<Self>

Instruments this type with the provided Span, returning an Instrumented wrapper. Read more
Source§

fn in_current_span(self) -> Instrumented<Self>

Instruments this type with the current Span, returning an Instrumented wrapper. Read more
Source§

impl<T, U> Into<U> for T
where U: From<T>,

Source§

fn into(self) -> U

Calls U::from(self).

That is, this conversion is whatever the implementation of From<T> for U chooses to do.

Source§

impl<T> Same for T

Source§

type Output = T

Should always be Self
Source§

impl<T, U> TryFrom<U> for T
where U: Into<T>,

Source§

type Error = Infallible

The type returned in the event of a conversion error.
Source§

fn try_from(value: U) -> Result<T, <T as TryFrom<U>>::Error>

Performs the conversion.
Source§

impl<T, U> TryInto<U> for T
where U: TryFrom<T>,

Source§

type Error = <U as TryFrom<T>>::Error

The type returned in the event of a conversion error.
Source§

fn try_into(self) -> Result<U, <U as TryFrom<T>>::Error>

Performs the conversion.
Source§

impl<V, T> VZip<V> for T
where V: MultiLane<T>,

Source§

fn vzip(self) -> V

Source§

impl<T> WithSubscriber for T

Source§

fn with_subscriber<S>(self, subscriber: S) -> WithDispatch<Self>
where S: Into<Dispatch>,

Attaches the provided Subscriber to this type, returning a WithDispatch wrapper. Read more
Source§

fn with_current_subscriber(self) -> WithDispatch<Self>

Attaches the current default Subscriber to this type, returning a WithDispatch wrapper. Read more
Source§

impl<T> ErasedDestructor for T
where T: 'static,