JAVASCRIPT

Implement Cross-Site Request Forgery (CSRF) Protection in Express.js

Safeguard your Express.js applications against CSRF attacks by integrating the `csurf` middleware, ensuring that all state-changing requests originate from your domain.

const express = require('express');
const session = require('express-session');
const cookieParser = require('cookie-parser');
const csrf = require('csurf');
const bodyParser = require('body-parser');

const app = express();

// Configure session middleware (required for csurf)
app.use(cookieParser());
app.use(session({
    secret: 'your_secret_key_here', // Use a strong, unique secret
    resave: false,
    saveUninitialized: true,
    cookie: { secure: process.env.NODE_ENV === 'production' } // Ensure secure cookies in production
}));

// Parse URL-encoded bodies (for form data)
app.use(bodyParser.urlencoded({ extended: false }));

// CSRF protection middleware
const csrfProtection = csrf({ cookie: true });
app.use(csrfProtection);

// Middleware to make CSRF token available in templates
app.use((req, res, next) => {
    res.locals.csrfToken = req.csrfToken();
    next();
});

// Example GET route to display a form
app.get('/', (req, res) => {
    res.send(`
        <form action="/process" method="POST">
            <input type="hidden" name="_csrf" value="${req.csrfToken()}">
            <input type="text" name="data" placeholder="Enter data">
            <button type="submit">Submit</button>
        </form>
    `);
});

// Example POST route protected by CSRF
app.post('/process', (req, res) => {
    // CSRF token is automatically checked by the middleware for POST requests
    console.log('Received data:', req.body.data);
    res.send('Data processed securely!');
});

const PORT = process.env.PORT || 3000;
app.listen(PORT, () => {
    console.log(`Server listening on port ${PORT}`);
});
How it works: This Node.js Express snippet demonstrates how to implement Cross-Site Request Forgery (CSRF) protection using the `csurf` middleware. It requires `express-session` and `cookie-parser` for session management. The `csrfProtection` middleware generates a unique token for each session, which must be included in forms (as a hidden input `_csrf`) or request headers for state-changing HTTP methods like POST, PUT, and DELETE. The middleware automatically validates this token, rejecting requests that lack a valid token, thus preventing attackers from tricking users into making unintended requests.

Need help integrating this into your project?

Our team of expert developers can help you build your custom application from scratch.

Hire DigitalCodeLabs