A library to provide Cross-site request forgery protection.
Getting this right can be tricky, and this library aims to provide the primitives to be able to do this without making it too easy to get it wrong. Remember though, this needs to be coupled with the HTTP layer correctly as well in order to ensure it provide protection.
This library provides primitives, and is meant to be used as a building block. The suggested way to use this is to write a library to integrate this with your favorite HTTP stack. For example, if you're using actix then don't use this directly but instead go use actix-xsrf.
The library uses what seems to now be the standard method used by various popular frameworks.
CookieTokenis issued and stored in the cookie or the session. Remember to use a secure signed cookie.
- From this
CookieToken, one or more
RequestTokens can be issued. You can issue one per request, or multiple. Any number of them can be validated against the original
- The server side should validate this under the right circumstances.