Csurf module in Node.js prevents the Cross-Site Request Forgery(CSRF) attack on an application. By using this module, when a browser renders up a page from the server, it sends a randomly generated string as a CSRF token. Therefore, when the POST request is performed, it will send the random CSRF token as a cookie. The token sent will be different for each request since they are generated randomly.
- An IDE of your choice
- NodeJs and NPM installed and setup in your system.
- First, we need to initialize our application with package.json file. Therefore, write the following command in the terminal:
- After, the package.json is created, its time to install our dependencies. Therefore, Install the required dependencies by the following command:
npm install body-parser cookie-parser express csurf --save
- Cookie-parser is used to parse the incoming cookies. Body-parser is used to parse the incoming form data that we will be creating in a HTML file.
- Create a file and named as app.js and write the following code for requiring module:
- Here, csrf will act as a middleware for generating and validating CSRF cookies. This middleware will add a function for generating cookies. This function will be passed to requests through a hidden form field. This created cookie will be then validated when the users send requests. The middleware populates req.csrfToken().
- Now after we have required all the modules, now let’s write down the full code as shown below:
- In the above code, after importing the modules, we set up the route middlewares and pass the validation method as cookie instead of token. Body-parser is used to parse the data coming from the form. Since, cookie is used as the validation method, therefore, cookie-parser is used. Now, in the GET request, we are rendering the passed cookie value to the view. In the POST request, we are first validating the cookie and if validated, then we are sending a message.
- Now, create a folder and named as view and create a file and name it as login.ejs and write the following code in it:
The above code example will run just as a simple application but there will be an added extra security measure for preventing CSRF.
Steps to run this program:
- Make sure you have installed express, csurf, cookie-parser, body-parser module with following command:
npm install express npm install express npm install csurf npm install cookie-parser npm install body-parser
- Run index.js file with following command:
- Open the browser and go to http://localhost:3000/form, then you will see the form with an input field as shown below:
- After submitting the form, you will see the following output:
Conclusion: Csurf is a very useful node module for preventing Cross-Site Request Forgery attack.