CSRF

CSRF middleware for Fiber that provides Cross-site request forgery protection by passing a csrf token via cookies. This cookie value will be used to compare against the client csrf token on requests, other than those defined as “safe” by RFC7231 (GET, HEAD, OPTIONS, or TRACE). When the csrf token is invalid, this middleware will return the fiber.ErrForbidden error. When no _csrf cookie is set, or the token has expired, a new token will be generated and _csrf cookie set.

Signatures

  1. func New(config ...Config) fiber.Handler

Examples

Import the middleware package that is part of the Fiber web framework

  1. import (
  2.     "github.com/gofiber/fiber/v2"
  3.     "github.com/gofiber/fiber/v2/middleware/csrf"
  4. )

After you initiate your Fiber app, you can use the following possibilities:

  1. // Initialize default config
  2. app.Use(csrf.New())
  4. // Or extend your config for customization
  5. app.Use(csrf.New(csrf.Config{
  6.     KeyLookup:      "header:X-Csrf-Token",
  7.     CookieName:     "csrf_",
  8.     CookieSameSite: "Strict",
  9.     Expiration:     1 * time.Hour,
  10.     KeyGenerator:   utils.UUID,
  11. }))

Config

  1. // Config defines the config for middleware.
  2. type Config struct {
  3.     // Next defines a function to skip this middleware when returned true.
  4.     //
  5.     // Optional. Default: nil
  6.     Next func(c *fiber.Ctx) bool
  8.     // KeyLookup is a string in the form of "<source>:<key>" that is used
  9.     // to extract token from the request.
  10.     // Possible values:
  11.     // - "header:<name>"
  12.     // - "query:<name>"
  13.     // - "param:<name>"
  14.     // - "form:<name>"
  15.     // - "cookie:<name>"
  16.     //
  17.     // Optional. Default: "header:X-CSRF-Token"
  18.     KeyLookup string
  20.     // Name of the session cookie. This cookie will store session key.
  21.     // Optional. Default value "_csrf".
  22.     CookieName string
  24.     // Domain of the CSRF cookie.
  25.     // Optional. Default value "".
  26.     CookieDomain string
  28.     // Path of the CSRF cookie.
  29.     // Optional. Default value "".
  30.     CookiePath string
  32.     // Indicates if CSRF cookie is secure.
  33.     // Optional. Default value false.
  34.     CookieSecure bool
  36.     // Indicates if CSRF cookie is HTTP only.
  37.     // Optional. Default value false.
  38.     CookieHTTPOnly bool
  40.     // Indicates if CSRF cookie is HTTP only.
  41.     // Optional. Default value "Strict".
  42.     CookieSameSite string
  44.     // Expiration is the duration before csrf token will expire
  45.     //
  46.     // Optional. Default: 1 * time.Hour
  47.     Expiration time.Duration
  49.     // Store is used to store the state of the middleware
  50.     //
  51.     // Optional. Default: memory.New()
  52.     Storage fiber.Storage
  54.     // Context key to store generated CSRF token into context.
  55.     // If left empty, token will not be stored in context.
  56.     //
  57.     // Optional. Default: ""
  58.     ContextKey string
  60.     // KeyGenerator creates a new CSRF token
  61.     //
  62.     // Optional. Default: utils.UUID
  63.     KeyGenerator func() string
  64. }

Default Config

  1. var ConfigDefault = Config{
  2.     KeyLookup:      "header:X-Csrf-Token",
  3.     CookieName:     "csrf_",
  4.     CookieSameSite: "Strict",
  5.     Expiration:     1 * time.Hour,
  6.     KeyGenerator:   utils.UUID,
  7. }