-
Notifications
You must be signed in to change notification settings - Fork 459
New issue
Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.
By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.
Already on GitHub? Sign in to your account
Disable CSRF for some paths #46
Comments
Right now it's all or nothing. This is an interesting requirement though. Let me see what I can do when I'm back from node summit. -- Jeff On Dec 4, 2013, at 6:44 AM, "Cristiano Betta" <notifications@github.commailto:notifications@github.com> wrote: Part of my app is an API. How do I disable CSRF for this and only this action? — |
@jeffharrell yeah. Would also like to see how this exactly is supposed to integrate into clientside JS posts. Or is that taken care of already? |
Client-side posts done through JavaScript would just need to pass the |
Closing as it doesn't belong in this repo. |
Enabling comments in config files per krakenjs#46 - Take 2
Any idea when this feature is going to be release? |
Would love to know when this feature is going to be released. |
This is now possible using Kraken 1.0's meddleware config and setting the routes property on lusca/csrf. |
@jeffharrell Can you give a quick example of disabling CSRF for a specific route in the meddleware config? |
I'm no @jeffharrell, however ... If you check out the options meddleware accepts, you'll find this:
Basically, all that meddleware does there is So, assuming you want csrf only on routes under {
"middleware": {
"appsec": {
"priority": 110,
"module": {
"name": "lusca",
"arguments": [
{
"csrf": false,
"xframe": "SAMEORIGIN",
"p3p": false,
"csp": false
}
]
}
},
"appsecprotect": {
"route": "/protect",
"enabled": true,
"priority": 111,
"module": {
"name": "lusca",
"arguments": [
{
"csrf": true
}
]
}
}
}
} A quick explanation: You can see this working here. Spin up that server and, hit |
Works perfect, thanks! |
Worth mentioning that what's happening here is, for I mention this because the reverse—disabling csrf for only some routes—would not work with this pattern. |
Ahh, yes it actually isn’t working for the disabling csrf. Any options for that? Disabling on certain routes is what I really want actually. From: Jean-Charles Sisk <notifications@github.commailto:notifications@github.com> Worth mentioning that what's happening here is, for /protect routes, lusca as registered by appsec kicks in, then lusca as registered by appsecprotect kicks in immediately afterwards. If lusca was destructive, that could cause a problem. In this case, since it's not, it merely adds csrf without disabling the others. I mention this because the reverse—disabling csrf for only some routes—would not work with this pattern. — |
Can't confirm any of this stuff at the moment (on a tablet) but, off the top of my head ... First, express can take a regular express as a mountpoint. You could register a regex with a negative lookahead to not match on specific routes. Let's say, for example you want to disable csrf for Next, you could disable lusca in config, then write and config your own middleware that conditionally calls the lusca middleware based on the req path. The path <-> regex resolution in express is provided by the path-to-regexp module; you could use that to ensure that your test for |
Just tried for disabling csrf for only one route, while enabling everything else. Still does not work - any work around yet? Thanks! For reference, my
|
This should be documented somewhere. The only place I could find out how to turn of CSRF / and appsec in general is this thread. |
@bthibault the README mentions application security and shows lusca's default configuration (see |
I'm trying to turn on CSRF security on more than 1 route.. "appsecprotect": {
"route": "/allocate|/resources",
"enabled": true,
"priority": 111,
"module": {
"name": "lusca",
"arguments": [
{
"csrf": true
}
]
}
} gives me {_csrf} value on both routes.. is that the proper way of specifying? |
See #193 |
cool so basically REGEX will do.. |
Part of my app is an API. How do I disable CSRF for this and only this action?
The text was updated successfully, but these errors were encountered: