Add csrf protection

2016-05-02 17:22:56 -07:00
parent e65d55a3f7
commit 3ae67f6fa9
4 changed files with 8 additions and 0 deletions
--- a/package.json
+++ b/package.json
@ -43,6 +43,7 @@
    "compression": "^1.6.0",
    "connect-mongo": "~1.1.0",
    "cookie-parser": "^1.4.0",
+    "csurf": "^1.8.3",
    "debug": "^2.2.0",
    "dedent": "~0.6.0",
    "dotenv": "^2.0.0",
--- a/server/middleware.json
+++ b/server/middleware.json
@ -42,6 +42,7 @@
    "helmet#xssFilter": {},
    "helmet#noSniff": {},
    "helmet#frameguard": {},
+    "./middlewares/csurf": {},
    "./middlewares/constant-headers": {},
    "./middlewares/csp": {},
    "./middlewares/express-rx": {},
--- a/server/middlewares/csurf.js
+++ b/server/middlewares/csurf.js
@ -0,0 +1,5 @@
+import csurf from 'csurf';
+
+export default function() {
+  return csurf({ cookie: true });
+}
--- a/server/middlewares/global-locals.js
+++ b/server/middlewares/global-locals.js
@ -2,6 +2,7 @@ export default function globalLocals() {
  return function(req, res, next) {
    // Make user object available in templates.
    res.locals.user = req.user;
+    res.locals._csrf = req.csrfToken();
    next();
  };
 }