Skip to content
This repository has been archived by the owner on Sep 14, 2022. It is now read-only.

Commit

Permalink
docs: improve note under ignoring routes example
Browse files Browse the repository at this point in the history 
closes #84
  • Loading branch information
@scottymcribs @dougwilson
scottymcribs authored and dougwilson committed Jan 29, 2016
1 parent 44bfeda commit 8b46d18
Showing 1 changed file with 8 additions and 3 deletions.
11 changes: 8 additions & 3 deletions README.md
View file
Expand Up @@ -146,9 +146,14 @@ input field named `_csrf`:

### Ignoring Routes

CSRF should be disabled for API areas of websites where requests are all
going to be fully authenticated and should be rate limited. The following
is an example of how to ignore API routing using routers & express.
**Note** CSRF checks should only be disabled for requests that you expect to
come from outside of your website. Do not disable CSRF checks for requests
that you expect to only come from your website. An existing session, even if
it belongs to an authenticated user, is not enough to protect against CSRF
attacks.

The following is an example of how to order your routes so that certain endpoints
do not check for a valid CSRF token.

```js
var cookieParser = require('cookie-parser')
Expand Down

0 comments on commit 8b46d18

Please sign in to comment.