Struct actix_web::middleware::csrf::CsrfFilter
[−]
[src]
pub struct CsrfFilter { /* fields omitted */ }
A middleware that filters cross-site requests.
To construct a CSRF filter:
- Call
CsrfFilter::build
to start building. - Add allowed origins.
- Call finish to retrieve the constructed filter.
Example
use actix_web::App; use actix_web::middleware::csrf; let app = App::new().middleware( csrf::CsrfFilter::new() .allowed_origin("https://www.example.com"));
Methods
impl CsrfFilter
[src]
pub fn new() -> CsrfFilter
[src]
Start building a CsrfFilter
.
pub fn allowed_origin(self, origin: &str) -> CsrfFilter
[src]
Add an origin that is allowed to make requests. Will be verified
against the Origin
request header.
pub fn allow_xhr(self) -> CsrfFilter
[src]
Allow all requests with an X-Requested-With
header.
A cross-site attacker should not be able to send requests with custom
headers unless a CORS policy whitelists them. Therefore it should be
safe to allow requests with an X-Requested-With
header (added
automatically by many JavaScript libraries).
This is disabled by default, because in Safari it is possible to circumvent this using redirects and Flash.
Use this method to enable more lax filtering.
pub fn allow_missing_origin(self) -> CsrfFilter
[src]
Allow requests if the expected Origin
header is missing (and
there is no Referer
to fall back on).
The filter is conservative by default, but it should be safe to allow
missing Origin
headers because a cross-site attacker cannot prevent
the browser from sending Origin
on unsafe requests.
pub fn allow_upgrade(self) -> CsrfFilter
[src]
Allow cross-site upgrade requests (for example to open a WebSocket).
Trait Implementations
impl Default for CsrfFilter
[src]
fn default() -> CsrfFilter
[src]
Returns the "default value" for a type. Read more
impl<S> Middleware<S> for CsrfFilter
[src]
fn start(&self, req: &mut HttpRequest<S>) -> Result<Started>
[src]
Method is called when request is ready. It may return future, which should resolve before next middleware get called. Read more
fn response(
&self,
req: &mut HttpRequest<S>,
resp: HttpResponse
) -> Result<Response>
[src]
&self,
req: &mut HttpRequest<S>,
resp: HttpResponse
) -> Result<Response>
Method is called when handler returns response, but before sending http message to peer. Read more
fn finish(&self, req: &mut HttpRequest<S>, resp: &HttpResponse) -> Finished
[src]
Method is called after body stream get sent to peer.