Expand description
Ergonomic CSRF protection for Rocket applications.
The main macro with_csrf_token enables CSRF protection for a given rocket::form::Form.
Slap on a double submit cookie or a session based CSRF token and you’re good to go.
Look at the examples/ folder for more detailed examples of all the functionality in a test app.
Structs§
- Check
Csrf Protection Header - A wrapper which verifies that a request has passed CSRF checks via checking for the headers
- Csrf
Protected Form - A wrapper form which parses the initial form, dereferences to it, and ensures CSRF checks pass
- Csrf
Protected Form With Guard - A wrapper for a CsrfProtectedForm which also runs a guard. This is useful in scenarios when you want to run some code that requires a CSRF check to have passed (e.g. in a secure by default framework).
- Csrf
Token Sourced From Header - Wrapper type to enable csrf protection from header values
- Double
Submit Cookie Csrf Token - CSRF protection using Double Submit cookies.
- Manually
Sourced Csrf Token_ DO_ NOT_ USE_ UNLESS_ YOU_ ARE_ SURE - Construct a CsrfToken from thin air. Use this in extremely sparing circumstances: e.g. you have no choice but to send a csrf token embedded somewhere random and just have the string. This can cause all sorts of security problems.
Enums§
- Check
Csrf Protection Header Error - Errors when validating a
CheckCsrfProtectionHeader - Csrf
Check Proof - A proof that a request has passed CSRF checks. Useful for constructing secure by default frameworks, as seen in this blogpost
- Csrf
Protected Form Error - Errors when validating a
CsrfProtectedForm - Csrf
Token Verification Error - Errors which can happen when verifying a CSRF token
Constants§
- DOUBLE_
SUBMIT_ CSRF_ TOKEN_ COOKIE_ NAME - Default double submit cookie name.
Traits§
- Csrf
Token Verifier - A type that can verify whether a
WithUserProvidedCsrfTokenactually has a valid csrf token Lets us be generic over session based or other csrf tokens This trait is async, but we recommend you keep DB fetches out (use rocket request caching as in the examples) or other mechanisms to keep things quick The returnedProofwill be set in the request local cache for other request guards to query - Verifier
With Known Expected Token - Trait for easily implementing a verifier when you know the expected token.
- With
User Provided Csrf Token - A thing that has a csrf token provided from user input
Type Aliases§
- Double
Submit Cookie Csrf Protected Form - SetDouble
Submit Cookie Csrf Token - Default
DoubleSubmitCookieCsrfTokensetting, usingrocket::http::SameSite::Strictand an expiry of 10 minutes. - SetLax
Double Submit Cookie Csrf Token - Lax
DoubleSubmitCookieCsrfTokensetting, usingrocket::http::SameSite::Laxand an expiry of 10 minutes. - SetNone
Double Submit Cookie Csrf Token_ DO_ NOT_ USE_ UNLESS_ YOU_ ARE_ SURE - Insecure
DoubleSubmitCookieCsrfTokensetting, usingrocket::http::SameSite::Noneand an expiry of 20 seconds. Avoid this as much as possible.
Attribute Macros§
- with_
csrf_ token - Macro to enable CSRF protection for a given
rocket::form::Form.