Open In App
Related Articles

Implementing Csurf Middleware in Node.js

Like Article
Save Article
Report issue

Csurf module in Node.js prevents the Cross-Site Request Forgery(CSRF) attack on an application. By using this module, when a browser renders up a page from the server, it sends a randomly generated string as a CSRF token. Therefore, when the POST request is performed, it will send the random CSRF token as a cookie. The token sent will be different for each request since they are generated randomly.


  • An IDE of your choice
  • NodeJs and NPM are installed and set up in your system.
  • Basic knowledge of Node.js modules and Embedded JavaScript(ejs).


First, we need to initialize our application with a package.json file. Therefore, write the following command in the terminal:  

npm init

After the package.json is created, it’s time to install our dependencies. Therefore, Install the required dependencies by the following command: 

npm install body-parser cookie-parser express csurf --save

Cookie-parser is used to parse the incoming cookies. 

Body-parser is used to parse the incoming form data that we will be creating in an HTML file. 

Create a file named app.js and write the following code for requiring module: 

Filename: app.js


const express = require('express');
const csrf = require('csurf');
const cookieParser = require('cookie-parser');
const bodyParser = require('body-parser');

  • Here, csrf will act as a middleware for generating and validating CSRF cookies. This middleware will add a function for generating cookies. This function will be passed to requests through a hidden form field. This created cookie will be then validated when the users send requests. The middleware populates req.csrfToken()
  • Now after we have required all the modules, now let’s write down the full code as shown below: 

Filename: app.js 


const express = require('express');
const csrf = require('csurf');
const cookieParser = require('cookie-parser');
const bodyParser = require('body-parser');
let csrfProtection = csrf({ cookie: true });
let parseForm = bodyParser.urlencoded({ extended: false });
let app = express();
app.set('view engine', 'ejs')
app.get('/form', csrfProtection, function (req, res) {
    // pass the csrfToken to the view
    res.render('login', { csrfToken: req.csrfToken() });
});'/process', parseForm,
    csrfProtection, function (req, res) {
        res.send('Successfully Validated!!');
app.listen(3000, (err) => {
    if (err) console.log(err);
    console.log('Server Running');

  • In the above code, after importing the modules, we set up the route middleware and pass the validation method as a cookie instead of a token. Body-parser is used to parse the data coming from the form. Since a cookie is used as the validation method, therefore, cookie-parser is used. Now, in the GET request, we are rendering the passed cookie value to the view. In the POST request, we are first validating the cookie and if validated, then we are sending a message. 
  • Now, create a folder and named as view and create a file and name it login.ejs, and write the following code in it:


    <title>Csurf Middleware</title>
    <form action="process" method="POST">
        <input type="hidden" name="_csrf"
               value="<%= csrfToken %>">
        <input type="text" name="myname">
        <input type="submit" value="Submit">


The above code example will run just as a simple application but there will be an added extra security measure for preventing CSRF.

Steps to run this program: 

Make sure you have installed express, csurf, cookie-parser, and body-parser modules with the following commands: 

npm install express
npm install express
npm install csurf
npm install cookie-parser
npm install body-parser

Run the index.js file with the following command:  

node index.js

Open the browser and go to http://localhost:3000/form, then you will see the form with an input field as shown below: 

After submitting the form, you will see the following output: 

Successfully Validated!!

Conclusion: Csurf is a very useful node module for preventing Cross-Site Request Forgery attacks.

Last Updated : 05 Apr, 2023
Like Article
Save Article
Share your thoughts in the comments
Similar Reads