Addressing Cross-Site Request Forgery (CSRF) attacks
CSRF attacks are similar to XSS attacks in that both occur across multiple sites. In a CSRF attack, malicious software forges a bogus request on another site. To prevent such an attack, CSRF tokens are generated for each page view, are included as hidden values in HTML FORMs, and then checked when the FORM is submitted. A mismatch on the tokens causes the request to be denied.
The csurf package is designed to be used with Express https://www.npmjs.com/package/csurf In the notes directory, run this:
$ npm install csurf --saveThen install the middleware like so:
import csrf from 'csurf'; ... app.use(cookieParser()); app.use(csrf({ cookie: true }));
The csurf middleware must be installed following the cookieParser middleware.
Next, for every page that includes a FORM, we must generate and send a token with the page. That requires two things, in the res.render call we generate the token, and then in the view template we include the token as a...
