[][src]Crate xsrf

A library to provide Cross-site request forgery protection.

Getting this right can be tricky, and this library aims to provide the primitives to be able to do this without making it too easy to get it wrong. Remember though, this needs to be coupled with the HTTP layer correctly as well in order to ensure it provide protection.


This library provides primitives, and is meant to be used as a building block. The suggested way to use this is to write a library to integrate this with your favorite HTTP stack. For example, if you're using actix then don't use this directly but instead go use actix-xsrf.


The library uses what seems to now be the standard method used by various popular frameworks.

  • A CookieToken is issued and stored in the cookie or the session. Remember to use a secure signed cookie.
  • From this CookieToken, one or more RequestTokens can be issued. You can issue one per request, or multiple. Any number of them can be validated against the original CookieToken.
  • The RequestToken should either be embedded in your HTML form, or sent via a HTTP header (often the case for requests initiated in JavaScript).
  • The server side should validate this under the right circumstances.


  • rand is used to generate cryptographically secure tokens.
  • RequestTokens use a one-time-pad and are xor-ed with the CookieToken to protect against BREACH.
  • subtle is used to protect against timing attacks.





Type Definitions