Expand description
§axum-tower-sessions-csrf
CSRF protection for Axum using tower-sessions, implementing the Synchronizer Token Pattern as recommended by OWASP.
§Features
- 🔒 Cryptographically secure token generation
- 📦 Session-based token storage (no cookies needed)
- ⚡ Constant-time token validation (prevents timing attacks)
- 🎯 Automatic validation on POST/PUT/DELETE/PATCH requests
- 🔧 Simple integration with existing Axum applications
- 🪶 Lightweight with minimal dependencies
§Quick Start
use axum::{routing::get, Router};
use axum::middleware::from_fn;
use tower_sessions::{MemoryStore, SessionManagerLayer};
use axum_tower_sessions_csrf::CsrfMiddleware;
#[tokio::main]
async fn main() {
let session_store = MemoryStore::default();
let session_layer = SessionManagerLayer::new(session_store);
let app = Router::new()
.route("/", get(|| async { "Hello!" }))
.layer(from_fn(CsrfMiddleware::middleware))
.layer(session_layer);
// Run your app...
}§Usage
- Add the middleware to your router (must be after
SessionManagerLayer) - Clients fetch CSRF token via
get_or_create_token - Include token in
x-csrf-tokenheader for state-changing requests
See the examples for complete working code.
Structs§
- Csrf
Middleware - CSRF protection middleware
Constants§
- TOKEN_
HEADER - CSRF token HTTP header name
- TOKEN_
KEY - CSRF token session key (used internally by the middleware)
Functions§
- generate_
token - Generate a cryptographically secure CSRF token
- get_
or_ create_ token - Get existing CSRF token from session, or create a new one