CSRF Protection
Cross-Site Request Forgery (CSRF) allows an attacker to perform actions on behalf of another person without their knowledge or permission.
Coast protects your application from CSRF attacks by denying unidentified requests. HTTP requests with POST, PUT and DELETE methods are checked to make sure that the right people from the right place invoke these requests.
How It Works
- Coast creates a CSRF secret for each request on your site.
- A corresponding token for the secret is generated for each request and passed to all
formandform-forfunctions in thecsrfand*anti-forgery-token*bindings - Whenever a POST, PUT or DELETE request is made, the middleware verifies the token with the secret to make sure it is valid.
Components
Coast makes three components available for easy CSRF integration
A hidden input with the csrf token:
csrf
(ns some-ns
(:require [coast]))
[:form {:action "/" :method :post}
(coast/csrf)]
A form with the hidden input already added to the body:
form
(ns some-ns
(:require [coast]))
(coast/form {:action "/" :method :post}) ; already includes the `csrf` part
And finally a form that includes the csrf hidden input in the body, and also takes a route handler name instead of a map:
; example routes
[:post "/customers" :customer/create]
[:put "/customers/:customer-id" :customer/change]
(coast/form-for :customer/create)
; ... inputs go here
(coast/form-for :customer/change {:customer/id 123})
; ... inputs go here
Coast was designed to ensure you don't have to think about low-level details of web applications like CSRF protection but it's always nice to know what's going on under the hood.
Can you improve this documentation?Edit on GitHub
cljdoc is a website building & hosting documentation for Clojure/Script libraries
× close