@csrf-armor/express
Version:
Express.js adapter for CSRF Armor - Advanced CSRF protection for Express.js applications
99 lines (78 loc) • 2.97 kB
Markdown
# @csrf-armor/express
<img src="https://cdn.nebz.dev/csrf-armor/logo.jpeg" alt="CSRF Armor" />
[](https://github.com/muneebs/csrf-armor/actions/workflows/ci.yml)
[](https://badge.fury.io/js/@csrf-armor%2Fexpress)
[](https://opensource.org/licenses/MIT)
[](https://www.typescriptlang.org/)
[](https://expressjs.com)
Express.js adapter for CSRF Armor - Advanced CSRF protection for Express.js applications.
## Installation
```bash
npm install @csrf-armor/express
# or
yarn add @csrf-armor/express
# or
pnpm add @csrf-armor/express
```
## Usage
```typescript
import express from 'express';
import { csrfMiddleware } from '@csrf-armor/express';
const app = express();
// Create the CSRF middleware
const csrfProtect = csrfMiddleware({
// Optional configuration
excludePaths: ['/webhook'], // Paths to exclude from CSRF protection
strategy: 'signed-double-submit', // CSRF protection strategy
secret: 'your-secret-key', // Required for signed strategies
cookie: {
name: 'csrf-token',
options: {
httpOnly: true,
secure: true,
sameSite: 'strict'
}
}
});
// Apply the middleware to protected routes
app.use('/api', csrfProtect);
// Your routes here
app.post('/api/data', (req, res) => {
res.json({ success: true });
});
```
## Configuration
The middleware accepts all configuration options from `@csrf-armor/core`. See the [core documentation](../core) for detailed configuration options.
### Quick Configuration Reference
```typescript
csrfMiddleware({
strategy: 'signed-double-submit', // Security strategy
secret: process.env.CSRF_SECRET, // Required for signed strategies
token: {
expiry: 3600, // Token lifetime (seconds)
reissueThreshold: 500, // Auto-renewal threshold (seconds)
headerName: 'X-CSRF-Token', // Header name
fieldName: 'csrf_token' // Form field name
},
cookie: {
name: 'csrf-token', // Cookie name
secure: true, // HTTPS only
httpOnly: false, // Allow client access
sameSite: 'strict' // CSRF protection
},
excludePaths: ['/api/public'], // Skip protection
allowedOrigins: ['https://yourdomain.com'] // Origin allowlist
})
```
## 📄 License
MIT © [Muneeb Samuels](https://github.com/muneebs)
## 📦 Related Packages
- **[@csrf-armor/core](../core)** - Framework-agnostic CSRF protection
**Questions?** [Open an issue](https://github.com/muneebs/csrf-armor/issues)
or [start a discussion](https://github.com/muneebs/csrf-armor/discussions)!