csrf-protection

CSRF Protection

Defend against Cross-Site Request Forgery attacks using multiple protection layers.

Protection Methods

Method How It Works Browser Support

Synchronizer Token Hidden form field validated server-side All

Double Submit Cookie + header must match All

SameSite Cookie Browser blocks cross-origin requests Modern

Token-Based Protection (Express)

const crypto = require('crypto');

function generateToken() { return crypto.randomBytes(32).toString('hex'); }

// Middleware app.use((req, res, next) => { if (!req.session.csrfToken) { req.session.csrfToken = generateToken(); } res.locals.csrfToken = req.session.csrfToken; next(); });

// Validation app.post('*', (req, res, next) => { const token = req.body._csrf || req.headers['x-csrf-token']; if (!token || !crypto.timingSafeEqual( Buffer.from(token), Buffer.from(req.session.csrfToken) )) { return res.status(403).json({ error: 'Invalid CSRF token' }); } next(); });

SameSite Cookies

app.use(session({ cookie: { httpOnly: true, secure: true, sameSite: 'strict', // or 'lax' maxAge: 3600000 } }));

HTML Form Integration

<form method="POST" action="/transfer"> <input type="hidden" name="_csrf" value="<%= csrfToken %>"> <button type="submit">Submit</button> </form>

Best Practices

Apply to all state-changing requests (POST, PUT, DELETE)
Use SameSite=Strict for sensitive cookies
Validate Origin/Referer headers
Never use GET for modifications
Implement token expiration (1 hour typical)
Combine multiple defense layers

Additional Implementations

See references/python-react.md for:

Flask-WTF complete CSRF setup
React hooks for CSRF token management
Double submit cookie pattern

Common Mistakes

Assuming authentication prevents CSRF
Reusing tokens across sessions
Storing tokens in localStorage
Missing token expiration

csrf-protection

Safety Notice

Copy this and send it to your AI assistant to learn

Source Transparency

Related Skills

tailwind-v4-shadcn

aceternity-ui

playwright

zod