xsrfhtml

package

v0.0.0-...-f115076 Latest Latest Go to latest Published: Apr 20, 2024 License: Apache-2.0 Imports: 7 Imported by: 2

Details

Valid go.mod file

The Go module system was introduced in Go 1.11 and is the official dependency management solution for Go.
Redistributable license

Redistributable licenses place minimal restrictions on how software can be used, modified, and redistributed.
Tagged version

Modules with tagged versions give importers more predictable builds.
Stable version

When a project reaches major version v1 it is considered stable.
Learn more about best practices

Repository

github.com/google/go-safeweb

Links

Open Source Insights

Documentation ¶

Overview ¶

Package xsrfhtml provides a safehttp.Interceptor that ensures Cross-Site Request Forgery by verifying the incoming requests for the presence of an XSRF token, rejecting those requests that are suspected to be part of an attack.

Constants ¶

View Source

const (
	// TokenKey is the form key used when sending the token as part of POST
	// request.
	TokenKey = "xsrf-token"
)

Variables ¶

This section is empty.

Functions ¶

This section is empty.

Types ¶

type Interceptor ¶

type Interceptor struct {
	// SecretAppKey uniquely identifies each registered service and should have
	// high entropy as it is used for generating the XSRF token.
	SecretAppKey string
}

Interceptor implements XSRF protection.

func (*Interceptor) Before ¶

func (it *Interceptor) Before(w safehttp.ResponseWriter, r *safehttp.IncomingRequest, _ safehttp.InterceptorConfig) safehttp.Result

Before checks for the presence of a XSRF token in the body of state changing requests (all except GET, HEAD and OPTIONS) and validates it.

func (*Interceptor) Commit ¶

func (it *Interceptor) Commit(w safehttp.ResponseHeadersWriter, r *safehttp.IncomingRequest, resp safehttp.Response, _ safehttp.InterceptorConfig)

Commit adds XSRF protection in the response, so the interceptor can distinguish between subsequent requests coming from an authorized user and requests that are potentially part of a Cross-Site Request Forgery attack.

On first user visit through a state preserving request (GET, HEAD or OPTIONS), a nonce-based cookie is set in the response as a way to distinguish between users and prevent pre-login XSRF attacks. The cookie is then used in the token generation and verification algorithm and is expected to be present in all subsequent incoming requests.

For every authorized request, the interceptor also generates a cryptographically-safe XSRF token using the appKey, the cookie and the path visited. This is then injected as a hidden input field in HTML forms.

func (*Interceptor) Match ¶

func (*Interceptor) Match(safehttp.InterceptorConfig) bool

Match returns false since there are no supported configurations.

Source Files ¶

View all Source files

?	: This menu
/	: Search site
f or F	: Jump to
y or Y	: Canonical URL