Skip to content

kemalcr/kemal-csrf

Folders and files

NameName
Last commit message
Last commit date

Latest commit

Jun 18, 2018
a1d90ff · Jun 18, 2018

History

17 Commits
Jul 14, 2017
Dec 29, 2017
Nov 24, 2016
Nov 24, 2016
Nov 24, 2016
Jul 14, 2017
Jun 18, 2018

Repository files navigation

kemal-csrf

Adds CSRF protection to your Kemal application.

Requires a session middleware to be initialized first.

Installation

Add this to your application's shard.yml:

dependencies:
  kemal-csrf:
    github: kemalcr/kemal-csrf

Usage

Basic Use

require "kemal-csrf"

add_handler CSRF.new

You can also change the name of the form field, header name, the methods which don't need csrf,error message and routes which you don't want csrf to apply. All of these are optional

require "kemal-csrf"

add_handler CSRF.new(
  header: "X_CSRF_TOKEN",
  allowed_methods: ["GET", "HEAD", "OPTIONS", "TRACE"],
  allowed_routes: ["/api/somecallback"],
  parameter_name: "_csrf", 
  error: "CSRF Error" 
)

If you need to have some logic within your error response, you can also pass it a proc (a pointer to a function)

require "kemal-csrf"

add_handler CSRF.new(
  header: "X_CSRF_TOKEN",
  allowed_methods: ["GET", "HEAD", "OPTIONS", "TRACE"],
  allowed_routes: ["/api/somecallback"],
  parameter_name: "_csrf", 
  error: ->myerrorhandler(HTTP::Server::Context)
)

def myerrorhandler(env)
  if env.request.headers["Content-Type"]? == "application/json"
    {"error" => "csrf error"}.to_json
  else
    "<html><head><title>Error</title><body><h1>You cannot post to this route without a valid csrf token</h1></body></html>"
  end
end

Contributing

  1. Fork it ( https://github.com/kemalcr/kemal-csrf/fork )
  2. Create your feature branch (git checkout -b my-new-feature)
  3. Commit your changes (git commit -am 'Add some feature')
  4. Push to the branch (git push origin my-new-feature)
  5. Create a new Pull Request

Contributors

  • sdogruyol Serdar Dogruyol - creator, maintainer