UNPKG

nuxt-csurf

Version:

Nuxt Cross-Site Request Forgery (CSRF) Prevention

github.com/Morgbn/nuxt-csurf

Morgbn/nuxt-csurf

103 lines (81 loc) 3.5 kB
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
58
59
60
61
62
63
64
65
66
67
68
69
70
71
72
73
74
75
76
77
78
79
80
81
82
83
84
85
86
87
88
89
90
91
92
93
94
95
96
97
98
99
100
101
102
103
![nuxt-oa-social-card](https://github.com/Morgbn/nuxt-csurf/assets/25689856/7f49b654-c682-4f15-9e40-6ba9644e28ac) [![npm version][npm-version-src]][npm-version-href] [![npm downloads][npm-downloads-src]][npm-downloads-href] [![License][license-src]][license-href] [![Nuxt][nuxt-src]][nuxt-href] # Nuxt Csurf Cross-Site Request Forgery (CSRF) prevention. \ Create a middleware for CSRF token creation and validation. ✅ Supports Node.js server & serverless environments \ ✅ Supports both universal and client-side rendering (`ssr: true|false`) \ ✅ Per-route configuration \ ✅ TypeScript ## Installation ```sh npx nuxi@latest module add csurf ``` ## Global configuration ```javascript // nuxt.config.js export default defineNuxtConfig({ modules: ['nuxt-csurf'], csurf: { // optional https: false, // default true if in production cookieKey: '', // "__Host-csrf" if https is true otherwise just "csrf" cookie: { // CookieSerializeOptions from unjs/cookie-es path: '/', httpOnly: true, sameSite: 'strict' }, methodsToProtect: ['POST', 'PUT', 'PATCH'], // the request methods we want CSRF protection for encryptSecret: /** a 32 bits secret */, // only for non serverless runtime, random bytes by default encryptAlgorithm: 'aes-256-cbc', // by default 'aes-256-cbc' (node), 'AES-CBC' (serverless) addCsrfTokenToEventCtx: true, // default false, to run useCsrfFetch on server set it to true headerName: 'csrf-token' // the header where the csrf token is stored } }) ``` ## Per route configuration To enable per-route configuration, use the routeRules like following: ```javascript export default defineNuxtConfig({ routeRules: { '/api/nocsrf': { csurf: false }, '/api/test': { csurf: { methodsToProtect: ['POST'] // protect POST request only } } } }) ``` ### useCsrfFetch This composable provides a convenient wrapper around `useFetch`. It automatically adds the CSRF token in headers. ```javascript const { data, pending, error, refresh } = useCsrfFetch('/api/login', { query: param1: 'value1' }) ``` ### $csrfFetch This helper provides a convenient wrapper around `$fetch`. It automatically adds the CSRF token in headers. ```javascript const { $csrfFetch } = useNuxtApp() const { data } = await $csrfFetch('/api/login', { method: 'POST', body: …, headers: … }) ``` ### useCsrf Use this composable if you need to access to the CSRF token value. ```javascript const { csrf } = useCsrf() console.log(csrf) // something like: mo4+MrFaeXP7fhAie0o2qw==:tLUaqtHW6evx/coGQVAhtGAR+v6cxgFtrqmkOsuAMag8PHRnMwpbGGUO0TPJjL+4 ``` ## Credits - inspired by [tiny-csrf](https://github.com/valexandersaulys/tiny-csrf) and [expressjs/csurf](https://github.com/expressjs/csurf) - see [OWASP CSRF cheatsheet](https://cheatsheetseries.owasp.org/cheatsheets/Cross-Site_Request_Forgery_Prevention_Cheat_Sheet.html) [npm-version-src]: https://img.shields.io/npm/v/nuxt-csurf/latest.svg?style=flat&colorA=18181B&colorB=28CF8D [npm-version-href]: https://npmjs.com/package/nuxt-csurf [npm-downloads-src]: https://img.shields.io/npm/dt/nuxt-csurf.svg?style=flat&colorA=18181B&colorB=28CF8D [npm-downloads-href]: https://npmjs.com/package/nuxt-csurf [license-src]: https://img.shields.io/npm/l/@nuxt/image.svg?style=flat&colorA=18181B&colorB=28CF8D [license-href]: https://npmjs.com/package/nuxt-csurf [nuxt-src]: https://img.shields.io/badge/Nuxt-18181B?logo=nuxt.js [nuxt-href]: https://nuxt.com