Skip to content

HTTPS clone URL

Subversion checkout URL

You can clone with HTTPS or Subversion.

Download ZIP
Ring middleware to prevent CSRF attacks
Clojure

This branch is 31 commits behind weavejester:master

Fetching latest commit…

Cannot retrieve the latest commit at this time

Failed to load latest commit information.
src/ring/middleware
test/ring/middleware/test
.gitignore
README.md
project.clj

README.md

ring-anti-forgery

This middleware prevents CSRF attacks by providing a randomly-generated anti-forgery token.

Install

Add the following dependency to your project.clj:

[ring-anti-forgery "0.1.2"]

Usage

When a handler is wrapped in the wrap-anti-forgery middleware, a randomly- generated string is assigned to the *anti-forgery-token* var. This token must be included as a parameter named "__anti-forgery-token" for all POST requests to the handler. Typically you'll add this to a hidden input field:

(str "<input type='hidden' name='__anti-forgery-token' value='" *anti-forgery-token* "'>")

A cookie of the same name is added to the response body by the middleware. If the cookie and the POST parameter don't match, then a 403 Forbidden response is returned. This ensures that requests cannot be POSTed from other domains.

Caveats

The anti-forgery middleware will prevent POSTs working for web service routes, so you should only apply this middleware to the part of your website meant for browsers.

Something went wrong with that request. Please try again.