Cross-site request forgery

Cross-site request forgery (CRSF) is an attack that tricks the victim into executing malicious actions on a web application in which they are authenticated. Connect/Express comes packaged with a Cross-site request forgery protection middleware. This middleware allows us to ensure that a request to a mutate state is from a valid source. The CRSF middleware creates a token that is stored in the requests session as _csrf. A request to our Express server will then need to pass the token in the header field X-CSRF-Token.

Let's create a security ./lib/security/index.js module that adds the csrf middleware to our application. We define a function, Security, that takes an Express app as an argument and removes the middleware ...

Get Advanced Express Web Application Development now with the O’Reilly learning platform.

O’Reilly members experience books, live events, courses curated by job role, and more from O’Reilly and nearly 200 top publishers.