CSRF Middleware

Cross-site request forgery, also known as one-click attack or session riding andabbreviated as CSRF (sometimes pronounced sea-surf) or XSRF, is a type of maliciousexploit of a website where unauthorized commands are transmitted from a user thatthe website trusts.

Usage

e.Use(middleware.CSRF())

Custom Configuration

Usage

  1. e := echo.New()
  2. e.Use(middleware.CSRFWithConfig(middleware.CSRFConfig{
  3.   TokenLookup: "header:X-XSRF-TOKEN",
  4. }))

Example above uses X-XSRF-TOKEN request header to extract CSRF token.

Accessing CSRF Token

Server-side

CSRF token can be accessed from Echo#Context using ContextKey and passed tothe client via template.

Client-side

CSRF token can be accessed from CSRF cookie.

Configuration

  1. CSRFConfig struct {
  2.   // Skipper defines a function to skip middleware.
  3.   Skipper Skipper
  5.   // TokenLength is the length of the generated token.
  6.   TokenLength uint8 `json:"token_length"`
  7.   // Optional. Default value 32.
  9.   // TokenLookup is a string in the form of "<source>:<key>" that is used
  10.   // to extract token from the request.
  11.   // Optional. Default value "header:X-CSRF-Token".
  12.   // Possible values:
  13.   // - "header:<name>"
  14.   // - "form:<name>"
  15.   // - "query:<name>"
  16.   TokenLookup string `json:"token_lookup"`
  18.   // Context key to store generated CSRF token into context.
  19.   // Optional. Default value "csrf".
  20.   ContextKey string `json:"context_key"`
  22.   // Name of the CSRF cookie. This cookie will store CSRF token.
  23.   // Optional. Default value "csrf".
  24.   CookieName string `json:"cookie_name"`
  26.   // Domain of the CSRF cookie.
  27.   // Optional. Default value none.
  28.   CookieDomain string `json:"cookie_domain"`
  30.   // Path of the CSRF cookie.
  31.   // Optional. Default value none.
  32.   CookiePath string `json:"cookie_path"`
  34.   // Max age (in seconds) of the CSRF cookie.
  35.   // Optional. Default value 86400 (24hr).
  36.   CookieMaxAge int `json:"cookie_max_age"`
  38.   // Indicates if CSRF cookie is secure.
  39.   // Optional. Default value false.
  40.   CookieSecure bool `json:"cookie_secure"`
  42.   // Indicates if CSRF cookie is HTTP only.
  43.   // Optional. Default value false.
  44.   CookieHTTPOnly bool `json:"cookie_http_only"`
  45. }

Default Configuration

  1. DefaultCSRFConfig = CSRFConfig{
  2.   Skipper:      DefaultSkipper,
  3.   TokenLength:  32,
  4.   TokenLookup:  "header:" + echo.HeaderXCSRFToken,
  5.   ContextKey:   "csrf",
  6.   CookieName:   "_csrf",
  7.   CookieMaxAge: 86400,
  8. }