来源:自学PHP网 时间:2015-04-17 12:00 作者: 阅读:次
[导读] CRSF protection middleware.By default this middleware generates a token named _csrfwhich should be added to requests which mutatestate, within a hidden form field, query-s......
|
CRSF protection middleware.
By default this middleware generates a token named "_csrf"
which should be added to requests which mutate
state, within a hidden form field, query-string etc. This
token is validated against the visitor's req.session._csrf
property.
The default value function checks req.body generated
by the bodyParser() middleware, req.query generated
by query(), and the "X-CSRF-Token" header field.
This middleware requires session support, thus should be added
somewhere below session() and cookieParser().
Options
value a function accepting the request, returning the token
Object options
Source
module.exports = function csrf(options) {
var options = options || {}
, value = options.value || defaultValue;
return function(req, res, next){
// generate CSRF token
var token = req.session._csrf || (req.session._csrf = utils.uid(24));
// ignore these methods
if ('GET' == req.method || 'HEAD' == req.method || 'OPTIONS' == req.method) return next();
// determine value
var val = value(req);
// check
if (val != token) return next(utils.error(403));
next();
}
};
defaultValue()
Default value function, checking the req.body
and req.query for the CSRF token.
IncomingMessage req
returns String
Source
function defaultValue(req) {
return (req.body && req.body._csrf)
|| (req.query && req.query._csrf)
|| (req.headers['x-csrf-token']);
}
|
自学PHP网专注网站建设学习,PHP程序学习,平面设计学习,以及操作系统学习
京ICP备14009008号-1@版权所有www.zixuephp.com
网站声明:本站所有视频,教程都由网友上传,站长收集和分享给大家学习使用,如由牵扯版权问题请联系站长邮箱904561283@qq.com
