Crate csrf [−] [src]
Crate providing cross-site request forgery (CSRF) protection for Rust web frameworks..
Overview
CSRF is done checking all requests with the HTTP method POST, PUT, PATCH, and DELETE for the presence of a CSRF token and cookie. Cryptographic signing ensures that only the true owner of a cookie can perform actios against an API.
Protection
There are three ways that csrf checks for the presence of a CSRF token.
- The query string
csrf-tokenin the body for requests withContent-Type: application/x-www-form-urlencoded - The query string
csrf-tokenin the URL - The header
X-CSRF-Token
The selection is done short circuit, so the first present wins, and retrieval only fails if the token is not present in any of the fields.
Tokens have a time to live (TTL) that defaults to 3600 seconds. If a token is stale, validation will fail.
In the provided implementations, tokens are cryptographically signed, so tampering with a token
or its signature will cause the validation to fail. Validation failures will return a 403 Forbidden.
Signatures and other data needed for validation are stored in a cookie that is sent to the user
via the Set-Cookie header.
Modules
| core |
Module containing the core functionality for CSRF protection. |
| error |
Module containing the CSRF error types. |
| serial |