Struct cosworth::prelude::csrf::CsrfFilter
source · pub struct CsrfFilter { /* private fields */ }
Expand description
A middleware that filters cross-site requests.
To construct a CSRF filter:
- Call
CsrfFilter::build
to start building. - Add allowed origins.
- Call finish to retrieve the constructed filter.
Example
use actix_web::middleware::csrf;
use actix_web::App;
let app = App::new()
.middleware(csrf::CsrfFilter::new().allowed_origin("https://www.example.com"));
Implementations§
source§impl CsrfFilter
impl CsrfFilter
sourcepub fn new() -> CsrfFilter
pub fn new() -> CsrfFilter
Start building a CsrfFilter
.
sourcepub fn allowed_origin<T>(self, origin: T) -> CsrfFilterwhere
T: Into<String>,
pub fn allowed_origin<T>(self, origin: T) -> CsrfFilterwhere
T: Into<String>,
Add an origin that is allowed to make requests. Will be verified
against the Origin
request header.
sourcepub fn allow_xhr(self) -> CsrfFilter
pub fn allow_xhr(self) -> CsrfFilter
Allow all requests with an X-Requested-With
header.
A cross-site attacker should not be able to send requests with custom
headers unless a CORS policy whitelists them. Therefore it should be
safe to allow requests with an X-Requested-With
header (added
automatically by many JavaScript libraries).
This is disabled by default, because in Safari it is possible to circumvent this using redirects and Flash.
Use this method to enable more lax filtering.
sourcepub fn allow_missing_origin(self) -> CsrfFilter
pub fn allow_missing_origin(self) -> CsrfFilter
Allow requests if the expected Origin
header is missing (and
there is no Referer
to fall back on).
The filter is conservative by default, but it should be safe to allow
missing Origin
headers because a cross-site attacker cannot prevent
the browser from sending Origin
on unprotected requests.
sourcepub fn allow_upgrade(self) -> CsrfFilter
pub fn allow_upgrade(self) -> CsrfFilter
Allow cross-site upgrade requests (for example to open a WebSocket).
Trait Implementations§
source§impl Default for CsrfFilter
impl Default for CsrfFilter
source§fn default() -> CsrfFilter
fn default() -> CsrfFilter
source§impl<S> Middleware<S> for CsrfFilter
impl<S> Middleware<S> for CsrfFilter
source§fn start(&self, req: &HttpRequest<S>) -> Result<Started, Error>
fn start(&self, req: &HttpRequest<S>) -> Result<Started, Error>
source§fn response(
&self,
req: &HttpRequest<S>,
resp: HttpResponse
) -> Result<Response, Error>
fn response(
&self,
req: &HttpRequest<S>,
resp: HttpResponse
) -> Result<Response, Error>
source§fn finish(&self, req: &HttpRequest<S>, resp: &HttpResponse) -> Finished
fn finish(&self, req: &HttpRequest<S>, resp: &HttpResponse) -> Finished
Auto Trait Implementations§
impl RefUnwindSafe for CsrfFilter
impl Send for CsrfFilter
impl Sync for CsrfFilter
impl Unpin for CsrfFilter
impl UnwindSafe for CsrfFilter
Blanket Implementations§
source§impl<T> IntoSql for T
impl<T> IntoSql for T
source§fn into_sql<T>(self) -> Self::Expressionwhere
Self: AsExpression<T> + Sized,
fn into_sql<T>(self) -> Self::Expressionwhere
Self: AsExpression<T> + Sized,
self
to an expression for Diesel’s query builder. Read moresource§fn as_sql<'a, T>(&'a self) -> <&'a Self as AsExpression<T>>::Expressionwhere
&'a Self: AsExpression<T>,
fn as_sql<'a, T>(&'a self) -> <&'a Self as AsExpression<T>>::Expressionwhere
&'a Self: AsExpression<T>,
&self
to an expression for Diesel’s query builder. Read more