This middleware prevents CSRF attacks by providing a randomly-generated anti-forgery token.
Add the following dependency to your project.clj
:
[ring-anti-forgery "0.3.0"]
Apply the wrap-anti-forgery
middleware to your Ring handler:
(use 'ring.middleware.anti-forgery)
(def app
(wrap-anti-forgery handler))
Any request that isn't a HEAD
or GET
request will now require an
anti-forgery token, or an "access denied" response will be returned.
The token is bound to the session, and accessible via the
*anti-forgery-token*
var.
By default the middleware looks for the anti-forgery token in the
__anti-forgery-token
form parameter, which can be added to your
forms as a hidden field. For convenience, this library provides a
function to generate the HTML of that hidden field:
(use 'ring.util.anti-forgery)
(anti-forgery-field) ;; returns the HTML for the anti-forgery field
The middleware also looks for the token in the X-CSRF-Token
and
X-XSRF-Token
header fields. This behavior can be customized further
using the :read-token
option:
(defn get-custom-token [request]
(get-in request [:headers "x-forgery-token"]))
(def app
(wrap-anti-forgery handler {:read-token get-custom-token}))
It's also possible to customize the error response returned when the token is invalid or missing:
(def custom-error-response
{:status 403
:headers {"Content-Type" "text/html"}
:body "<h1>Missing anti-forgery token</h1>"})
(def app
(wrap-anti-forgery-token handler {:error-response custom-error-response}))
The anti-forgery middleware will prevent POSTs, PUTs, PATCHes, and DELETEs, working for web service routes, so you should only apply this middleware to the part of your website meant to be accessed by browsers.
Copyright © 2013 James Reeves
Distributed under the MIT License.
Can you improve this documentation?Edit on GitHub
cljdoc is a website building & hosting documentation for Clojure/Script libraries
× close