Struct actix_web::middleware::csrf::CsrfFilter

pub struct CsrfFilter { /* private fields */ }

Expand description

A middleware that filters cross-site requests.

To construct a CSRF filter:

Call CsrfFilter::build to start building.
Add allowed origins.
Call finish to retrieve the constructed filter.

Example

use actix_web::middleware::csrf;
use actix_web::App;

let app = App::new()
    .middleware(csrf::CsrfFilter::new().allowed_origin("https://www.example.com"));

Implementations

impl CsrfFilter

pub fn new() -> CsrfFilter

Start building a CsrfFilter.

pub fn allowed_origin<T: Into<String>>(self, origin: T) -> CsrfFilter

Add an origin that is allowed to make requests. Will be verified against the Origin request header.

pub fn allow_xhr(self) -> CsrfFilter

Allow all requests with an X-Requested-With header.

A cross-site attacker should not be able to send requests with custom headers unless a CORS policy whitelists them. Therefore it should be safe to allow requests with an X-Requested-With header (added automatically by many JavaScript libraries).

This is disabled by default, because in Safari it is possible to circumvent this using redirects and Flash.

Use this method to enable more lax filtering.

pub fn allow_missing_origin(self) -> CsrfFilter

Allow requests if the expected Origin header is missing (and there is no Referer to fall back on).

The filter is conservative by default, but it should be safe to allow missing Origin headers because a cross-site attacker cannot prevent the browser from sending Origin on unprotected requests.

pub fn allow_upgrade(self) -> CsrfFilter

Allow cross-site upgrade requests (for example to open a WebSocket).

Trait Implementations

impl Default for CsrfFilter

fn default() -> CsrfFilter

Returns the “default value” for a type. Read more

impl<S> Middleware<S> for CsrfFilter

fn start(&self, req: &HttpRequest<S>) -> Result<Started>

Method is called when request is ready. It may return future, which should resolve before next middleware get called. Read more

fn response(&self, req: &HttpRequest<S>, resp: HttpResponse) -> Result<Response>

Method is called when handler returns response, but before sending http message to peer. Read more

fn finish(&self, req: &HttpRequest<S>, resp: &HttpResponse) -> Finished

Method is called after body stream get sent to peer.

Auto Trait Implementations

impl RefUnwindSafe for CsrfFilter

impl Send for CsrfFilter

impl Sync for CsrfFilter

impl Unpin for CsrfFilter

impl UnwindSafe for CsrfFilter

Blanket Implementations

impl<T> Any for Twhere
T: 'static + ?Sized,

fn type_id(&self) -> TypeId

Gets the TypeId of self. Read more

impl<T> Borrow<T> for Twhere
T: ?Sized,

const: unstable · source

fn borrow(&self) -> &T

Immutably borrows from an owned value. Read more

impl<T> BorrowMut<T> for Twhere
T: ?Sized,

const: unstable · source

fn borrow_mut(&mut self) -> &mut T

Mutably borrows from an owned value. Read more

impl<T> From<T> for T

const: unstable · source

fn from(t: T) -> T

Returns the argument unchanged.

impl<T, U> Into<U> for Twhere
U: From<T>,

const: unstable · source

fn into(self) -> U

Calls U::from(self).

That is, this conversion is whatever the implementation of From<T> for U chooses to do.

impl<T> Same<T> for T

type Output = T

Should always be Self

impl<T, U> TryFrom<U> for Twhere
U: Into<T>,

type Error = Infallible

The type returned in the event of a conversion error.

const: unstable · source

fn try_from(value: U) -> Result<T, <T as TryFrom<U>>::Error>

Performs the conversion.

impl<T, U> TryInto<U> for Twhere
U: TryFrom<T>,

type Error = <U as TryFrom<T>>::Error

The type returned in the event of a conversion error.

const: unstable · source

fn try_into(self) -> Result<U, <U as TryFrom<T>>::Error>

Performs the conversion.

impl<V, T> VZip<V> for Twhere
V: MultiLane<T>,

fn vzip(self) -> V

impl<T> Erased for T