Crate rocket_csrf_guard
source ·Expand description
Ergonomic CSRF protection for Rocket applications.
The main macro with_csrf_token
enables CSRF protection for a given rocket::form::Form
.
Slap on a double submit cookie or a session based CSRF token and you’re good to go.
Look at the examples/ folder for more detailed examples of all the functionality in a test app.
Structs
- A wrapper which verifies that a request has passed CSRF checks via checking for the headers
- A wrapper form which parses the initial form, dereferences to it, and ensures CSRF checks pass
- A wrapper for a CsrfProtectedForm which also runs a guard. This is useful in scenarios when you want to run some code that requires a CSRF check to have passed (e.g. in a secure by default framework).
- Wrapper type to enable csrf protection from header values
- CSRF protection using Double Submit cookies.
- Construct a CsrfToken from thin air. Use this in extremely sparing circumstances: e.g. you have no choice but to send a csrf token embedded somewhere random and just have the string. This can cause all sorts of security problems.
Enums
- Errors when validating a
CheckCsrfProtectionHeader
- A proof that a request has passed CSRF checks. Useful for constructing secure by default frameworks, as seen in this blogpost
- Errors when validating a
CsrfProtectedForm
- Errors which can happen when verifying a CSRF token
Constants
- Default double submit cookie name.
Traits
- A type that can verify whether a
WithUserProvidedCsrfToken
actually has a valid csrf token Lets us be generic over session based or other csrf tokens This trait is async, but we recommend you keep DB fetches out (use rocket request caching as in the examples) or other mechanisms to keep things quick The returnedProof
will be set in the request local cache for other request guards to query - Trait for easily implementing a verifier when you know the expected token.
- A thing that has a csrf token provided from user input
Type Aliases
- Default
DoubleSubmitCookieCsrfToken
setting, using [rocket::http::SameSite::Strict
] and an expiry of 10 minutes. - Lax
DoubleSubmitCookieCsrfToken
setting, using [rocket::http::SameSite::Lax
] and an expiry of 10 minutes. - Insecure
DoubleSubmitCookieCsrfToken
setting, using [rocket::http::SameSite::None
] and an expiry of 20 seconds. Avoid this as much as possible.
Attribute Macros
- Macro to enable CSRF protection for a given
rocket::form::Form
.