Struct actix_web::middleware::csrf::CsrfFilterBuilder

pub struct CsrfFilterBuilder { /* fields omitted */ }

Used to build a CsrfFilter.

To construct a CSRF filter:

1. Call CsrfFilter::build to start building.
2. Add allowed origins.
3. Call finish to retrieve the constructed filter.

Example

use actix_web::middleware::csrf;

let csrf = csrf::CsrfFilter::build()
    .allowed_origin("https://www.example.com")
    .finish();

Methods

impl CsrfFilterBuilder

pub fn allowed_origin(self, origin: &str) -> CsrfFilterBuilder

Add an origin that is allowed to make requests. Will be verified against the Origin request header.

pub fn allow_xhr(self) -> CsrfFilterBuilder

Allow all requests with an X-Requested-With header.

A cross-site attacker should not be able to send requests with custom headers unless a CORS policy whitelists them. Therefore it should be safe to allow requests with an X-Requested-With header (added automatically by many JavaScript libraries).

This is disabled by default, because in Safari it is possible to circumvent this using redirects and Flash.

Use this method to enable more lax filtering.

pub fn allow_missing_origin(self) -> CsrfFilterBuilder

Allow requests if the expected Origin header is missing (and there is no Referer to fall back on).

The filter is conservative by default, but it should be safe to allow missing Origin headers because a cross-site attacker cannot prevent the browser from sending Origin on unsafe requests.

pub fn allow_upgrade(self) -> CsrfFilterBuilder

Allow cross-site upgrade requests (for example to open a WebSocket).

pub fn finish(self) -> CsrfFilter

Finishes building the CsrfFilter instance.

Trait Implementations