pub struct CsrfMiddleware<Rng> { /* private fields */ }
Expand description

CSRF middleware to manage CSRF cookies and tokens.

Implementations

Creates a CSRF middleware with secure defaults. Namely:

  • The CSRF cookie will be prefixed with __Host-. This also implies the following:
    • Secure is set.
    • Domain is not set.
    • Path is set to /.
  • SameSite is set to Strict.
  • HttpOnly is set.

This represents the strictest possible configuration. Requests must be always sent over HTTPS. Users must explicitly relax these restrictions.

Creates a CSRF middleware with secure defaults and the provided Rng. Namely:

  • The CSRF cookie will be prefixed with __Host-. This also implies the following:
    • Secure is set.
    • Domain is not set.
    • Path is set to /.
  • SameSite is set to Strict.
  • HttpOnly is set.

This represents the strictest possible configuration. Requests must be always sent over HTTPS. Users must explicitly relax these restrictions.

Control whether we check for the token on requests.

Set a method and path to set a CSRF cookie. This should be all locations that whose response should set a cookie (via a Set-Cookie header) or those that need the CSRF token value in the response, such as for forms.

Sets the cookie name. Consider using host_prefixed_cookie_name or secure_prefixed_cookie_name to prefix the cookie name with __Host- or __Secure- on your behalf, or prefixing it manually.

Sets the cookie name, with __Host- automatically prefixed.

Examples

This functionally is equivalent to prefixing the cookie name with __Host-:

use actix_csrf::CsrfMiddleware;
use rand::rngs::StdRng;

let host_prefixed = CsrfMiddleware::<StdRng>::new()
    .host_prefixed_cookie_name("my_special_cookie");
let manually_prefixed = CsrfMiddleware::<StdRng>::new()
    .cookie_name("__Host-my_special_cookie");
assert_eq!(host_prefixed.cookie_config(), manually_prefixed.cookie_config());

Sets the cookie name. Consider using host_prefixed_cookie_name or manually prefixing it with __Host- for increased defense-in-depth measures. This is equivalent to calling cookie_name(format!("__Secure-{}", name)).

Examples

This functionally is equivalent to prefixing the cookie name with __Secure-:

use actix_csrf::CsrfMiddleware;
use rand::rngs::StdRng;

let host_prefixed = CsrfMiddleware::<StdRng>::new()
    .secure_prefixed_cookie_name("my_special_cookie");
let manually_prefixed = CsrfMiddleware::<StdRng>::new()
    .cookie_name("__Secure-my_special_cookie");
assert_eq!(host_prefixed.cookie_config(), manually_prefixed.cookie_config());

Sets the SameSite attribute on the cookie.

Sets the HttpOnly attribute on the cookie.

Sets the Secure attribute on the cookie.

Sets the domain of the cookie.

This is incompatible with __Host- prefixed cookies. If the cookie is a __Host- prefixed cookie, this function will downgrade the cookie to a use the __Secure- prefix instead. This weakens a defense-in-depth measure and is not recommended unless there is an unavoidable need and the security implications have been fully considered.

Produces an CSRF cookie config determined from the current middleware state. Note that this is not needed if you are using default cookie names.

Trait Implementations

Returns a copy of the value. Read more

Performs copy-assignment from source. Read more

Formats the value using the given formatter. Read more

Returns the “default value” for a type. Read more

This method tests for self and other values to be equal, and is used by ==. Read more

This method tests for !=. The default implementation is almost always sufficient, and should not be overridden without very good reason. Read more

Responses produced by the service.

Errors produced by the service.

Errors produced while building a transform service.

The TransformService value created by this factory

The future response value.

Creates and returns a new Transform component, asynchronously

Auto Trait Implementations

Blanket Implementations

Gets the TypeId of self. Read more

Immutably borrows from an owned value. Read more

Mutably borrows from an owned value. Read more

Compare self to key and return true if they are equal.

Returns the argument unchanged.

Instruments this type with the provided Span, returning an Instrumented wrapper. Read more

Instruments this type with the current Span, returning an Instrumented wrapper. Read more

Calls U::from(self).

That is, this conversion is whatever the implementation of From<T> for U chooses to do.

Should always be Self

The resulting type after obtaining ownership.

Creates owned data from borrowed data, usually by cloning. Read more

Uses borrowed data to replace owned data, usually by cloning. Read more

The type returned in the event of a conversion error.

Performs the conversion.

The type returned in the event of a conversion error.

Performs the conversion.

Attaches the provided Subscriber to this type, returning a WithDispatch wrapper. Read more

Attaches the current default Subscriber to this type, returning a WithDispatch wrapper. Read more