rocket_csrf
CSRF (Cross-Site Request Forgery) protection for Rocket web framework.
WARNING! The implementation is very simple for now and may not be ready for production.
Discussion about CSRF protection in Rocket is here.
Table of contents
Usage
Attach fairing to the Rocket instance:
extern crate rocket;
extern crate serde_derive;
use Template;
Add guard to any request where you want to have access to session's CSRF token (e.g. to include it in forms) or verify it (e.g. to validate form):
use Redirect;
use Form;
use Template;
use CsrfToken;
Get CSRF token from guard to use it in templates:
Add CSRF token to your HTML forms in templates:
<!-- your fields -->
Add attribute authenticity_token
to your
forms:
Validate forms to have valid authenticity token:
See the complete code in minimal example.
TODO
- Add fairing to verify all requests as an option.
- Add data guard to verify forms with a guard.
- Add helpers to render form field.
- Add helpers to add HTML meta tags for Ajax with
X-CSRF-Token
header. - Verify
X-CSRF-Token
header. - Use authenticity token encryption from Ruby on Rails.
- Allow to configure CSRF protection (CSRF token byte length, cookie name, etc.).
- Set cookie to expire with session.