Cross-site request forgery
Cross-site request forgery (CRSF) is an attack that tricks the victim into executing malicious actions on a web application in which they are authenticated. Connect/Express comes packaged with a Cross-site request forgery protection middleware. This middleware allows us to ensure that a request to a mutate state is from a valid source. The CRSF middleware creates a token that is stored in the requests session as _csrf. A request to our Express server will then need to pass the token in the header field X-CSRF-Token.
Let's create a security ./lib/security/index.js module that adds the csrf middleware to our application. We define a function, Security, that takes an Express app as an argument and removes the middleware when in TEST or COVERAGE mode.
var express = require('express');
function Security(app) {
if (process.env['NODE_ENV'] === "TEST" ||process.env['NODE_ENV'] === "COVERAGE") return;
app.use(express.csrf());
};
module.exports = Security;Let's make...
