Skip to content
Ring middleware to prevent CSRF attacks
Clojure
Find file
Pull request Compare This branch is 39 commits behind weavejester:master.
Fetching latest commit…
Cannot retrieve the latest commit at this time.
Failed to load latest commit information.
src/ring/middleware
test/ring/middleware/test
.gitignore
README.md
project.clj

README.md

ring-anti-forgery

This middleware prevents CSRF attacks by providing a randomly-generated anti-forgery token.

Usage

When a handler is wrapped in the wrap-anti-forgery middleware, a randomly- generated string is assigned to the *anti-forgery-token* var. This token must be included as a parameter named "__anti-forgery-token" for all POST requests to the handler. Typically you'll add this to a hidden input field:

(str "<input type='hidden' name='__anti-forgery-token' value='" *anti-forgery-token* "'>")

A cookie of the same name is added to the response body by the middleware. If the cookie and the POST parameter don't match, then a 403 Forbidden response is returned. This ensures that requests cannot be POSTed from other domains.

Install

Add the following dependency to your project.clj:

[ring-anti-forgery "0.1.1"]

Caveats

The anti-forgery middleware will prevent POSTs working for web service routes, so you should only apply this middleware to the part of your website meant for browsers.

Something went wrong with that request. Please try again.