Crate csrf [−] [src]
Crate providing cross-site request forgery (CSRF) protection primitives
Overview
csrf
provides the basic building blocks you will need to implement CSRF protection for the
web framework of your choice. csrf
generates encrypyed, signed tokens and cookies, and
verifies that they have not been tampered with and that they match.
This crate is used by iron-csrf and be used as a
reference for using csrf
in other applications.
Hello, CSRF.
A simple example of how to use this library is as follows.
extern crate csrf; extern crate data_encoding; use csrf::{AesGcmCsrfProtection, CsrfProtection}; use data_encoding::BASE64; fn main() { let protect = AesGcmCsrfProtection::from_key(*b"01234567012345670123456701234567"); let (token, cookie) = protect.generate_token_pair(None, 300) .expect("couldn't generate token/cookie pair"); let token_str = token.b64_string(); let cookie_str = cookie.b64_string(); // add them to outgoing response // wait for incoming connection // extract them from an incoming request let token_bytes = BASE64.decode(token_str.as_bytes()).expect("token not base64"); let cookie_bytes= BASE64.decode(cookie_str.as_bytes()).expect("cookie not base64"); let parsed_token = protect.parse_token(&token_bytes).expect("token not parsed"); let parsed_cookie = protect.parse_cookie(&cookie_bytes).expect("cookie not parsed"); assert!(protect.verify_token_pair(&parsed_token, &parsed_cookie)); }
Warning
CSRF protection is not a substitute for authentication or authorization. It only exists to prevent malicious entities from forcing users to take actions they did not intend. If this is unclear, please read the Wikipedia article.
Structs
AesGcmCsrfProtection |
Uses AES-GCM to provide signed, encrypted CSRF tokens and cookies. |
ChaCha20Poly1305CsrfProtection |
Uses ChaCha20Poly1305 to provide signed, encrypted CSRF tokens and cookies. |
CsrfCookie |
A signed, encrypted CSRF cookie that is suitable to be displayed to end users. |
CsrfToken |
A signed, encrypted CSRF token that is suitable to be displayed to end users. |
HmacCsrfProtection |
Uses HMAC to provide authenticated CSRF tokens and cookies. |
UnencryptedCsrfCookie |
Internal represenation of an unencrypted CSRF cookie. This is not suitable to send to end users. |
UnencryptedCsrfToken |
Internal represenation of an unencrypted CSRF token. This is not suitable to send to end users. |
Enums
CsrfError |
An |
Constants
CSRF_COOKIE_NAME |
The name of the cookie for the CSRF validation data and signature. |
CSRF_FORM_FIELD |
The name of the form field for the CSRF token. |
CSRF_HEADER |
The name of the HTTP header for the CSRF token. |
CSRF_QUERY_STRING |
The name of the query parameter for the CSRF token. |
Traits
CsrfProtection |
The base trait that allows a developer to add CSRF protection to an application. |