This package provides middleware for CSRF security prevention (Cross-Site Request Forgery).
By default, there are three parameters supported by module:
- "all" - defines if all POST forms should be CSRF secured (default is false)
- "secret" - defines key for AES encryption (16, 24 or 32 bytes for AES-128, AES-192 or AES-256)
- "ttl" - defines max time (in seconds) validation for some token (default is 15 minutes)
csrf:
all: false
secret: "somethingSuperSecret"
ttl: 900
In case when it's not required to secure all forms, it's possible just to put middleware just for particular handler. In that case, only POST request for that handler will be secured.
type (
routes struct {
someController *controller.SomeController
csrfMiddleware *interfaces.CsrfMiddleware
}
)
func (r *routes) Routes(registry *router.Registry) {
registry.HandlePost("some.handler", r.csrfMiddleware.Secured(r.someController.Handler))
}
To add hidden input token into template, use template function:
!= csrfInput()
To add just token into template, use template function:
input(type="hidden" name="csrftoken" value=csrfToken())