justinas / Nosurf
Licence: mit
CSRF protection middleware for Go.
Stars: ✭ 1,131
Programming Languages
go
31211 projects - #10 most used programming language
Labels
Projects that are alternatives of or similar to Nosurf
Csrf
gorilla/csrf provides Cross Site Request Forgery (CSRF) prevention middleware for Go web applications & services 🔒
Stars: ✭ 631 (-44.21%)
Mutual labels: middleware, csrf
Csrf
Package csrf is a middleware that generates and validates CSRF tokens for Macaron.
Stars: ✭ 6 (-99.47%)
Mutual labels: middleware, csrf
Aspnetcore Request Decompression
HTTP request decompression middleware for ASP.NET Core
Stars: ✭ 51 (-95.49%)
Mutual labels: middleware
Django Channels React Multiplayer
turn based strategy game using django channels, redux, and react hooks
Stars: ✭ 52 (-95.4%)
Mutual labels: middleware
Dawn
🌅 Dawn is a lightweight task management and build tool for front-end and nodejs.
Stars: ✭ 1,057 (-6.54%)
Mutual labels: middleware
Condor Framework
Framework for building GRPC services in Node JS. Include middleware, and more.
Stars: ✭ 52 (-95.4%)
Mutual labels: middleware
Secured Links
CSRF protection for Nette Framework presenters' signals.
Stars: ✭ 57 (-94.96%)
Mutual labels: csrf
Proxykit
A toolkit to create code-first HTTP reverse proxies on ASP.NET Core
Stars: ✭ 1,063 (-6.01%)
Mutual labels: middleware
Go Httpwares
Go HTTP Server Middleware and Client Tripperware
Stars: ✭ 60 (-94.69%)
Mutual labels: middleware
Redux Query
A library for managing network state in Redux
Stars: ✭ 1,055 (-6.72%)
Mutual labels: middleware
Helmet
Help secure Express apps with various HTTP headers
Stars: ✭ 8,648 (+664.63%)
Mutual labels: middleware
Rainbow
An Express router middleware for RESTful API base on file path.
Stars: ✭ 53 (-95.31%)
Mutual labels: middleware
Dragon
⚡A powerful HTTP router and URL matcher for building Deno web servers.
Stars: ✭ 56 (-95.05%)
Mutual labels: middleware
nosurf
nosurf is an HTTP package for Go
that helps you prevent Cross-Site Request Forgery attacks.
It acts like a middleware and therefore
is compatible with basically any Go HTTP application.
Why?
Even though CSRF is a prominent vulnerability, Go's web-related package infrastructure mostly consists of micro-frameworks that neither do implement CSRF checks, nor should they.
nosurf solves this problem by providing a CSRFHandler
that wraps your http.Handler and checks for CSRF attacks
on every non-safe (non-GET/HEAD/OPTIONS/TRACE) method.
nosurf requires Go 1.1 or later.
Features
- Supports any
http.Handler(frameworks, your own handlers, etc.) and acts like one itself. - Allows exempting specific endpoints from CSRF checks by an exact URL, a glob, or a regular expression.
- Allows specifying your own failure handler.
Want to present the hacker with an ASCII middle finger
instead of the plain old
HTTP 400? No problem. - Uses masked tokens to mitigate the BREACH attack.
- Has no dependencies outside the Go standard library.
Example
package main
import (
"fmt"
"github.com/justinas/nosurf"
"html/template"
"net/http"
)
var templateString string = `
<!doctype html>
<html>
<body>
{{ if .name }}
<p>Your name: {{ .name }}</p>
{{ end }}
<form action="/" method="POST">
<input type="text" name="name">
<!-- Try removing this or changing its value
and see what happens -->
<input type="hidden" name="csrf_token" value="{{ .token }}">
<input type="submit" value="Send">
</form>
</body>
</html>
`
var templ = template.Must(template.New("t1").Parse(templateString))
func myFunc(w http.ResponseWriter, r *http.Request) {
context := make(map[string]string)
context["token"] = nosurf.Token(r)
if r.Method == "POST" {
context["name"] = r.FormValue("name")
}
templ.Execute(w, context)
}
func main() {
myHandler := http.HandlerFunc(myFunc)
fmt.Println("Listening on http://127.0.0.1:8000/")
http.ListenAndServe(":8000", nosurf.New(myHandler))
}
Manual token verification
In some cases the CSRF token may be send through a non standard way, e.g. a body or request is a JSON encoded message with one of the fields being a token.
In such case the handler(path) should be excluded from an automatic verification by using one of the exemption methods:
func (h *CSRFHandler) ExemptFunc(fn func(r *http.Request) bool)
func (h *CSRFHandler) ExemptGlob(pattern string)
func (h *CSRFHandler) ExemptGlobs(patterns ...string)
func (h *CSRFHandler) ExemptPath(path string)
func (h *CSRFHandler) ExemptPaths(paths ...string)
func (h *CSRFHandler) ExemptRegexp(re interface{})
func (h *CSRFHandler) ExemptRegexps(res ...interface{})
Later on, the token must be verified by manually getting the token from the cookie
and providing the token sent in body through: VerifyToken(tkn, tkn2 string) bool.
Example:
func HandleJson(w http.ResponseWriter, r *http.Request) {
d := struct{
X,Y int
Tkn string
}{}
json.Unmarshal(ioutil.ReadAll(r.Body), &d)
if !nosurf.VerifyToken(nosurf.Token(r), d.Tkn) {
http.Errorf(w, "CSRF token incorrect", http.StatusBadRequest)
return
}
// do smth cool
}
Contributing
- Find an issue that bugs you / open a new one.
- Discuss.
- Branch off, commit, test.
- Make a pull request / attach the commits to the issue.
Note that the project description data, including the texts, logos, images, and/or trademarks,
for each open source project belongs to its rightful owner.
If you wish to add or remove any projects, please contact us at [email protected].