final class TSecCSRF[F[_], A] extends AnyRef
Middleware to avoid Cross-site request forgery attacks. More info on CSRF at: https://www.owasp.org/index.php/Cross-Site_Request_Forgery_(CSRF)
This middleware is modeled after the double submit cookie pattern: https://www.owasp.org/index.php/Cross-Site_Request_Forgery_(CSRF)_Prevention_Cheat_Sheet#Double_Submit_Cookie
When a user authenticates, embedNew
is used to send a random CSRF value as a cookie. (Alternatively,
an authenticating service can be wrapped in withNewToken
).
For requests that are unsafe (PUT, POST, DELETE, PATCH), services protected by the validated
method in the
middleware will check that the csrf token is present in both the header headerName
and the cookie cookieName
.
Due to the Same-Origin policy, an attacker will be unable to reproduce this value in a
custom header, resulting in a 401 Unauthorized
response.
Requests with safe methods (such as GET, OPTIONS, HEAD) will have a new token embedded in them if there isn't one,
or will receive a refreshed token based off of the previous token to mitigate the BREACH vulnerability. If a request
contains an invalid token, regardless of whether it is a safe method, this middleware will fail it with
401 Unauthorized
. In this situation, your user(s) should clear their cookies for your page, to receive a new
token.
We'd like to emphasize that you please follow proper design principles in creating endpoints, as to not mutate in what should otherwise be idempotent methods (i.e no dropping your DB in a GET method, or altering user data). If you choose to not to, this middleware cannot protect you.
- Source
- TSecCSRF.scala
- Alphabetic
- By Inheritance
- TSecCSRF
- AnyRef
- Any
- Hide All
- Show All
- Public
- All
Value Members
-
final
def
!=(arg0: Any): Boolean
- Definition Classes
- AnyRef → Any
-
final
def
##(): Int
- Definition Classes
- AnyRef → Any
-
final
def
==(arg0: Any): Boolean
- Definition Classes
- AnyRef → Any
-
final
def
asInstanceOf[T0]: T0
- Definition Classes
- Any
- def checkEqual(token1: CSRFToken, token2: CSRFToken): OptionT[F, Boolean]
-
def
clone(): AnyRef
- Attributes
- protected[java.lang]
- Definition Classes
- AnyRef
- Annotations
- @native() @throws( ... )
- val cookieName: String
- def embedNew(response: Response[F]): F[Response[F]]
-
final
def
eq(arg0: AnyRef): Boolean
- Definition Classes
- AnyRef
-
def
equals(arg0: Any): Boolean
- Definition Classes
- AnyRef → Any
-
def
extractRaw(token: CSRFToken): OptionT[F, String]
Extract a signed token
- def filter(predicate: (Request[F]) ⇒ Boolean, request: Request[F], service: HttpRoutes[F]): OptionT[F, Response[F]]
-
def
finalize(): Unit
- Attributes
- protected[java.lang]
- Definition Classes
- AnyRef
- Annotations
- @throws( classOf[java.lang.Throwable] )
- def generateToken: F[CSRFToken]
-
final
def
getClass(): Class[_]
- Definition Classes
- AnyRef → Any
- Annotations
- @native()
-
def
hashCode(): Int
- Definition Classes
- AnyRef → Any
- Annotations
- @native()
- val headerName: String
- def isEqual(s1: String, s2: String): Boolean
-
final
def
isInstanceOf[T0]: Boolean
- Definition Classes
- Any
-
final
def
ne(arg0: AnyRef): Boolean
- Definition Classes
- AnyRef
-
final
def
notify(): Unit
- Definition Classes
- AnyRef
- Annotations
- @native()
-
final
def
notifyAll(): Unit
- Definition Classes
- AnyRef
- Annotations
- @native()
- def signToken(string: String): F[CSRFToken]
-
final
def
synchronized[T0](arg0: ⇒ T0): T0
- Definition Classes
- AnyRef
-
def
toString(): String
- Definition Classes
- AnyRef → Any
- val tokenLength: Int
- def validate(predicate: (Request[F]) ⇒ Boolean = _.method.isSafe): CSRFMiddleware[F]
-
final
def
wait(): Unit
- Definition Classes
- AnyRef
- Annotations
- @throws( ... )
-
final
def
wait(arg0: Long, arg1: Int): Unit
- Definition Classes
- AnyRef
- Annotations
- @throws( ... )
-
final
def
wait(arg0: Long): Unit
- Definition Classes
- AnyRef
- Annotations
- @native() @throws( ... )
- def withNewToken: CSRFMiddleware[F]