docs: add example of csurf ignoring routes

closes #77 closes #79
expressjs · Aug 12, 2015 · b5dd3e2 · b5dd3e2
1 parent d85a93a
commit b5dd3e2
Showing 1 changed file with 52 additions and 0 deletions.
diff --git a/README.md b/README.md
@@ -144,6 +144,58 @@ input field named `_csrf`:
 </form>
 ```
 
+### Ignoring Routes
+
+CSRF should be disabled for API areas of websites where requests are all
+going to be fully authenticated and should be rate limited. The following
+is an example of how to ignore API routing using routers & express.
+
+```js
+var cookieParser = require('cookie-parser')
+var csrf = require('csurf')
+var bodyParser = require('body-parser')
+var express = require('express')
+
+// setup route middlewares
+var csrfProtection = csrf({ cookie: true })
+var parseForm = bodyParser.urlencoded({ extended: false })
+
+// create express app
+var app = express()
+
+// parse cookies
+// we need this because "cookie" is true in csrfProtection
+app.use(cookieParser())
+
+// create api router
+var api = createApiRouter()
+
+// mount api before csrf is appended to the app stack
+app.use('/api', api)
+
+// now add csrf, after the "/api" was mounted
+app.use(csrfProtection)
+
+app.get('/form', function(req, res) {
+  // pass the csrfToken to the view
+  res.render('send', { csrfToken: req.csrfToken() })
+})
+
+app.post('/process', parseForm, function(req, res) {
+  res.send('csrf was required to get here')
+})
+
+function createApiRouter() {
+  var router = new express.Router()
+
+  router.post('/getProfile', function(req, res) {
+    res.send('no csrf to get here')
+  })
+
+  return router
+}
+```
+
 ### Custom error handling
 
 When the CSRF token validation fails, an error is thrown that has