Package io.quarkus.csrf.reactive.runtime

Class RestCsrfConfig

java.lang.Object
io.quarkus.csrf.reactive.runtime.RestCsrfConfig
@ConfigRoot(phase=RUN_TIME) public class RestCsrfConfig extends Object
Runtime configuration for CSRF Reactive Filter.

  • Field Details

    • formFieldName

      @ConfigItem(defaultValue="csrf-token") public String formFieldName
      Form field name which keeps a CSRF token.

    • tokenHeaderName

      @ConfigItem(defaultValue="X-CSRF-TOKEN") public String tokenHeaderName
      Token header which can provide a CSRF token.

    • cookieName

      @ConfigItem(defaultValue="csrf-token") public String cookieName
      CSRF cookie name.

    • cookieMaxAge

      @ConfigItem(defaultValue="2H") public Duration cookieMaxAge
      CSRF cookie max age.

    • cookiePath

      @ConfigItem(defaultValue="/") public String cookiePath
      CSRF cookie path.

    • cookieDomain

      @ConfigItem public Optional<String> cookieDomain
      CSRF cookie domain.

    • cookieForceSecure

      @ConfigItem(defaultValue="false") public boolean cookieForceSecure
      If enabled the CSRF cookie will have its 'secure' parameter set to 'true' when HTTP is used. It may be necessary when running behind an SSL terminating reverse proxy. The cookie will always be secure if HTTPS is used even if this property is set to false.

    • cookieHttpOnly

      @ConfigItem(defaultValue="true") public boolean cookieHttpOnly
      Set the HttpOnly attribute to prevent access to the cookie via JavaScript.

    • createTokenPath

      @ConfigItem public Optional<Set<String>> createTokenPath
      Create CSRF token only if the HTTP GET relative request path matches one of the paths configured with this property. Use a comma to separate multiple path values.

    • tokenSize

      @ConfigItem(defaultValue="16") public int tokenSize
      Random CSRF token size in bytes.

    • tokenSignatureKey

      @ConfigItem public Optional<String> tokenSignatureKey
      CSRF token HMAC signature key, if this key is set then it must be at least 32 characters long.

    • verifyToken

      @ConfigItem(defaultValue="true") public boolean verifyToken
      Verify CSRF token in the CSRF filter. If you prefer then you can disable this property and compare CSRF form and cookie parameters in the application code using JAX-RS jakarta.ws.rs.FormParam which refers to the formFieldName form property and jakarta.ws.rs.CookieParam which refers to the cookieName cookie. Note that even if the CSRF token verification in the CSRF filter is disabled, the filter will still perform checks to ensure the token is available, has the correct tokenSize in bytes and that the Content-Type HTTP header is either 'application/x-www-form-urlencoded' or 'multipart/form-data'.

    • requireFormUrlEncoded

      @ConfigItem(defaultValue="true") public boolean requireFormUrlEncoded
      Require that only 'application/x-www-form-urlencoded' or 'multipart/form-data' body is accepted for the token verification to proceed. Disable this property for the CSRF filter to avoid verifying the token for POST requests with other content types. This property is only effective if verifyToken property is enabled and tokenHeaderName is not configured.

  • Constructor Details

    • RestCsrfConfig

      public RestCsrfConfig()