Module actix_web::middleware::csrf
[−]
[src]
A filter for cross-site request forgery (CSRF).
This middleware is stateless and based on request headers.
By default requests are allowed only if one of these is true:
- The request method is safe (
GET
,HEAD
,OPTIONS
). It is the applications responsibility to ensure these methods cannot be used to execute unwanted actions. Note that upgrade requests for websockets are also considered safe. - The
Origin
header (added automatically by the browser) matches one of the allowed origins. - There is no
Origin
header but theReferer
header matches one of the allowed origins.
Use CsrfFilterBuilder::allow_xhr()
if you want to allow requests with unsafe methods via
CORS.
Example
use actix_web::middleware::csrf; fn handle_post(_req: HttpRequest) -> &'static str { "This action should only be triggered with requests from the same site" } fn main() { let app = Application::new() .middleware( csrf::CsrfFilter::build() .allowed_origin("https://www.example.com") .finish()) .resource("/", |r| { r.method(Method::GET).f(|_| httpcodes::HttpOk); r.method(Method::POST).f(handle_post); }) .finish(); }
In this example the entire application is protected from CSRF.
Structs
CsrfFilter |
A middleware that filters cross-site requests. |
CsrfFilterBuilder |
Used to build a |
Enums
CsrfError |
Potential cross-site request forgery detected. |