This project demonstrates secure authentication practices and CSRF (Cross-Site Request Forgery) vulnerabilities through a practical web application.
This educational project consists of two main components:
- Secure Authentication App: A Node.js Express application implementing best practices in web authentication and security.
- CSRF Testing Tools: Utilities to demonstrate how CSRF attacks work and how to protect against them.
- User registration with strong password requirements
- Secure login with session management
- Protection against brute force attacks
- Account locking after failed attempts
- CSRF protection on sensitive operations
- Password hashing with bcrypt
- Rate limiting for login attempts
- HTTPS-only cookies
- SameSite cookie restrictions
- CSRF token validation
- Input validation and sanitization
- Content Security Policy (CSP)
- Protection against common web vulnerabilities
- Deliberate vulnerable endpoint to demonstrate CSRF attacks
- Interactive CSRF test tool for educational purposes
- Step-by-step guide to understand and test CSRF vulnerabilities
- Node.js (v12 or higher)
- npm or yarn
- Clone the repository
- Install dependencies:
cd secure-auth-app npm install - Start the application:
npm run dev - Access the application at
http://localhost:3000
This project contains deliberately vulnerable components marked clearly for educational purposes. The CSRF demonstration tools help understand:
- How CSRF attacks work
- Why CSRF protection is necessary
- How to implement proper CSRF protections
/secure-auth-app/- Main application/public/- Static files and frontend/routes/- API routes/middleware/- Express middlewareapp.js- Main application file
csrf-test.html&csrf-test.js- CSRF testing toolcsrf-demo-instructions.html- Tutorial for CSRF demonstration
- Register and login to the secure app
- Open the CSRF test tool in another tab
- Configure it to target the vulnerable endpoint
- Generate and execute the CSRF attack
- Observe how the application state changes without user consent
This application contains deliberately vulnerable code for educational purposes. Do not use the vulnerable patterns demonstrated in this project in production environments.