Skip to content
Ring middleware to prevent CSRF attacks
Find file
Pull request Compare This branch is 39 commits behind weavejester:master.
Fetching latest commit…
Cannot retrieve the latest commit at this time.
Failed to load latest commit information.


This middleware prevents CSRF attacks by providing a randomly-generated anti-forgery token.


When a handler is wrapped in the wrap-anti-forgery middleware, a randomly- generated string is assigned to the *anti-forgery-token* var. This token must be included as a parameter named "__anti-forgery-token" for all POST requests to the handler. Typically you'll add this to a hidden input field:

(str "<input type='hidden' name='__anti-forgery-token' value='" *anti-forgery-token* "'>")

A cookie of the same name is added to the response body by the middleware. If the cookie and the POST parameter don't match, then a 403 Forbidden response is returned. This ensures that requests cannot be POSTed from other domains.


Add the following dependency to your project.clj:

[ring-anti-forgery "0.1.1"]


The anti-forgery middleware will prevent POSTs working for web service routes, so you should only apply this middleware to the part of your website meant for browsers.

Something went wrong with that request. Please try again.