Validate a client-side CSRF token + cookie on a server.
This package makes use of stateless CSRF by requiring every request to have both a cookie + HTTP header set on every request. The server then verifies they are the same which means they're from the right domain. This works because a page can only read / write cookies for its own domain and set the header.
It compares the X-CSRF-token header value with the CSRF_token value in the
cookie. Clients should set these values.
This is a first layer of defence that is vulnerable to XSS, but requires a relatively low cost to implement. To also prevent prevent XSS based CSRF consider using per request tokens.
This is also not a replacement for authentication tokens (OAuth or otherwise), this merely prevents tokens from being exploited by malicious agents.
$ npm install server-csrf-check
const csrfCheck = require('server-csrf-check')
const http = require('http')
http.createServer(function (req, res) {
if (!csrfCheck(req, res)) return res.end('CSRF detected')
res.end('all good')
}).listen()
Check an IncomingMessage for the equality of an X-CSRF-token header and
CSRF_token on a cookie. Returns a boolean.