Using csurf with react-server

About

Asked 4/1, 2017 at 13:3 Answered 19/7, 2017 at 22:39

javascript node.js reactjs csrf react-server

I would like to add csurf as an express middleware inside the react-server for a universal app.

What I want to achieve is adding the csrf token to a hidden input in a form in the react component to maintain the same csrf protection flow a server-rendered website would provide, but within a SPA.

Is this technically possible within the react-server? If so, how can I pass the csrf token that is available in the response object to the react component via the page (ideally)?

Brogan answered 4/1, 2017 at 13:3 Comment(0)

I actually ran into the same problem and luckily happened to come across the solution here: https://github.com/kriasoft/react-starter-kit/issues/1142

to use it just do:

app.use(csrf({ cookie: true, value: (req) => (req.cookies.csrfToken) }));

and then for every get request set a cookie with the csrf token:

res.cookie('csrfToken', req.csrfToken ? req.csrfToken() : null, { sameSite: true, httpOnly: true });

Loveridge answered 19/7, 2017 at 22:39 Comment(3)

Thanks for pointing this out, it seems to be a fairly generic solution so it may work in a react-server context as well. – Brogan 20/7, 2017 at 20:59

I don't get what the point of this is though. If you're auto setting the token in every request, without receiving it from the client, its pretty much useless – Butcherbird 17/10, 2020 at 1:34

I think that the custom value function that checks for the CSRF token shouldn't look inside the cookies, but in the body or in the header of the request, as per default behaviour in the csurf docs, otherwise checking the cookie lets the server prone to the CSRF attack you are trying to defend from! – Accipitrine 22/10, 2020 at 10:40

Hot tags

Godot Unity Godot Help Programming Godot 4.X GUI GDScript 3D 2D Physics CSharp Godot 3.X VR XR Projects C++

Recommended topics

Hot tags