A Bucketchain middleware for stateless CSRF protection without token.
bower install purescript-bucketchain-csrf purescript-bucketchain-cors
Use with cors middleware.
server :: Effect Server
server = createServer $ middleware1 <<< middleware2 <<< middleware3
middleware1 :: Middleware
middleware1 = withCSRFProtection
{ host: "example.oreshinya.xyz"
, origins: [ "http://example.oreshinya.xyz", "http://test.oreshinya.xyz" ]
}
middleware2 :: Middleware
middleware2 = withCORS defaultOptions
{ origins = Origins [ "http://example.oreshinya.xyz", "http://test.oreshinya.xyz" ]
}
middleware3 :: Middleware
middleware3 next = do
http <- ask
if requestMethod http == "POST" && requestURL http == "/test"
then liftEffect $ Just <$> body "This is test."
else next
This middleware checks some headers:
Host
: Check if host(for DNS Rebinding).X-From
: Check if allowed origin. you should send all request with this header.Origin
: Check if allowed origin.
Module documentation is published on Pursuit.
MIT