#csrf #protection #request #primitive #cookies #cross-site #forgery

xsrf

A library to provide Cross-site request forgery protection

1 unstable release

0.1.0 Jun 30, 2020

#13 in #csrf

MIT license

8KB
133 lines

xsrf

Build Crates.io Documentation

A library to provide Cross-site request forgery protection. See documentation for how to use the library.


lib.rs:

A library to provide Cross-site request forgery protection.

Getting this right can be tricky, and this library aims to provide the primitives to be able to do this without making it too easy to get it wrong. Remember though, this needs to be coupled with the HTTP layer correctly as well in order to ensure it provide protection.

Warning

This library provides primitives, and is meant to be used as a building block. The suggested way to use this is to write a library to integrate this with your favorite HTTP stack. For example, if you're using actix then don't use this directly but instead go use actix-xsrf.

Usage

The library uses what seems to now be the standard method used by various popular frameworks.

  • A CookieToken is issued and stored in the cookie or the session. Remember to use a secure signed cookie.
  • From this CookieToken, one or more RequestTokens can be issued. You can issue one per request, or multiple. Any number of them can be validated against the original CookieToken.
  • The RequestToken should either be embedded in your HTML form, or sent via a HTTP header (often the case for requests initiated in JavaScript).
  • The server side should validate this under the right circumstances.

Notes

  • rand is used to generate cryptographically secure tokens.
  • RequestTokens use a one-time-pad and are xor-ed with the CookieToken to protect against BREACH.
  • subtle is used to protect against timing attacks.

Dependencies

~1.7–2.4MB
~42K SLoC