aahframe.work: aahframe.work/security/anticsrf Index | Files

package anticsrf

import "aahframe.work/security/anticsrf"


Package Files

anti_csrf.go util.go


var (
    ErrNoReferer        = errors.New("security/anticsrf: no referer")
    ErrMalformedReferer = errors.New("security/anticsrf: malformed referer")
    ErrBadReferer       = errors.New("security/anticsrf: bad referer")
    ErrNoCookieFound    = errors.New("security/anticsrf: no cookie found")

Anti-CSRF errors

func IsSafeHTTPMethod Uses

func IsSafeHTTPMethod(method string) bool

IsSafeHTTPMethod method returns true if matches otherwise false. Safe methods per defined in https://tools.ietf.org/html/rfc7231#section-4.2.1

func IsSameOrigin Uses

func IsSameOrigin(a, b *url.URL) bool

IsSameOrigin method is to check same origin i.e. scheme, host and port. Returns true if matches otherwise false.

type AntiCSRF Uses

type AntiCSRF struct {
    Enabled bool
    // contains filtered or unexported fields

AntiCSRF struct hold the implementation of Anti CSRF (aka XSRF) protection.

func New Uses

func New(cfg *config.Config) (*AntiCSRF, error)

New method initializes the Anti-CSRF based on security configuration.

func (*AntiCSRF) CipherSecret Uses

func (ac *AntiCSRF) CipherSecret(r *ahttp.Request) []byte

CipherSecret method returns the Anti-CSRF secert from the cookie if not available generates new secret.

func (*AntiCSRF) ClearCookie Uses

func (ac *AntiCSRF) ClearCookie(w http.ResponseWriter, r *ahttp.Request)

ClearCookie method is to clear Anti-CSRF cookie when disabled.

func (*AntiCSRF) GenerateSecret Uses

func (ac *AntiCSRF) GenerateSecret() []byte

GenerateSecret method generates new secure secret by configured length.

func (*AntiCSRF) IsAuthentic Uses

func (ac *AntiCSRF) IsAuthentic(secret, requestSecret []byte) bool

IsAuthentic method compares the given secret and request secret.

func (*AntiCSRF) IsTrustedOrigin Uses

func (ac *AntiCSRF) IsTrustedOrigin(ref *url.URL) bool

IsTrustedOrigin method returns true if given referrer host listed in config `security.anti_csrf.trusted_origins` otherwise false.

Note: Trusted origin check is 'incasesensitive'.

func (*AntiCSRF) RequestCipherSecret Uses

func (ac *AntiCSRF) RequestCipherSecret(r *ahttp.Request) []byte

RequestCipherSecret method returns aah request secret (aka anti-csrf token) from the request. The order of secret retrival is HTTP Header, Form (Regular and Multipart).

func (*AntiCSRF) SaltCipherSecret Uses

func (ac *AntiCSRF) SaltCipherSecret(secret []byte) string

SaltCipherSecret method returns salted chiper secret.

func (*AntiCSRF) SetCookie Uses

func (ac *AntiCSRF) SetCookie(w http.ResponseWriter, secret []byte) error

SetCookie method write/refresh the Anti-CSRF cookie value and expriy.

Package anticsrf imports 11 packages (graph) and is imported by 6 packages. Updated 2019-03-26. Refresh now. Tools for package owners.