This project demonstrates a secure full-stack web application using:
- Node.js + Express (Backend)
- HTML + JavaScript (Frontend)
- CSRF Protection using Tokens
- CORS handling for secure communication
It shows how to prevent Cross-Site Request Forgery (CSRF) attacks in real-world applications.
- β Secure form submission
- β CSRF token generation & validation
- β Cookie-based session handling
- β Express backend API
- β Static frontend serving
- β Clean and simple UI
- Frontend: HTML, JavaScript
- Backend: Node.js, Express
- Security: CSRF (csurf), CORS
- Session Management: express-session
secure-app/
β
βββ backend/
β βββ server.js
β βββ package.json
β βββ node_modules/
β
βββ frontend/
βββ index.html
βββ script.js
cd backend
npm install
node server.js
http://localhost:5000
- Server generates a CSRF token
- Token is sent to frontend (
/csrf-token) - Frontend includes token in request headers
- Server validates token before processing request
- Form submission works successfully
- Remove CSRF token from
script.js - You will get:
ForbiddenError: invalid csrf token
- CORS controls which origins can access the backend
- Used when frontend and backend run on different ports
- Understanding of CORS vs CSRF
- Real implementation of web security
- Handling cookies and sessions
- Secure API design
- π Add JWT Authentication
- ποΈ Integrate MongoDB database
- π¨ Improve UI with Tailwind/React
- π Deploy using Render/Vercel