Permalink
Browse files

csrf

  • Loading branch information...
1 parent d07665e commit 92da48c79bb2405509d4f84f255924eab5c44456 @tj tj committed Oct 13, 2012
Showing with 22 additions and 0 deletions.
  1. +22 −0 en/api/mw-csrf.jade
View
@@ -0,0 +1,22 @@
+
+section
+ h3(id='csrf') csrf()
+
+ p.
+ CRSF protection middleware.
+
+ p.
+ By default this middleware generates a token named "_csrf"
+ which should be added to requests which mutate
+ state, within a hidden form field, query-string etc. This
+ token is validated against the visitor's <code>req.session._csrf</code>
+ property.
+
+ p.
+ The default <code>value</code> function checks <code>req.body</code> generated
+ by the <code>bodyParser()</code> middleware, <code>req.query</code> generated
+ by <code>query()</code>, and the "X-CSRF-Token" header field.
+
+ p.
+ This middleware requires session support, thus should be added
+ somewhere below <code>session()</code>.

0 comments on commit 92da48c

Please sign in to comment.