org.http4s.server.middleware

CSRF

final class CSRF extends AnyRef

Middleware to avoid Cross-site request forgery attacks. More info on CSRF at: https://www.owasp.org/index.php/Cross-Site_Request_Forgery_(CSRF)

This middleware is modeled after the double submit cookie pattern: https://www.owasp.org/index.php/Cross-Site_Request_Forgery_(CSRF)_Prevention_Cheat_Sheet#DoubleSubmit_Cookie

When a user authenticates, embedNew is used to send a random CSRF value as a cookie. (Alterntively, an authenticating service can be wrapped in withNewToken). Services protected by the validaed middleware then check that the value is prsent in both the header headerName and the cookie cookieName. Due to the Same-Origin policy, an attacker will be unable to reproduce this value in a custom header, resulting in a 403 Forbidden response.

Linear Supertypes
AnyRef, Any
Ordering
  1. Alphabetic
  2. By inheritance
Inherited
  1. CSRF
  2. AnyRef
  3. Any
  1. Hide All
  2. Show all
Learn more about member selection
Visibility
  1. Public
  2. All

Value Members

  1. final def !=(arg0: AnyRef): Boolean

    Definition Classes
    AnyRef

  2. final def !=(arg0: Any): Boolean

    Definition Classes
    Any

  3. final def ##(): Int

    Definition Classes
    AnyRef → Any

  4. final def ==(arg0: AnyRef): Boolean

    Definition Classes
    AnyRef

  5. final def ==(arg0: Any): Boolean

    Definition Classes
    Any

  6. final def asInstanceOf[T0]: T0

    Definition Classes
    Any

  7. def clone(): AnyRef

    Attributes
    protected[java.lang]
    Definition Classes
    AnyRef
    Annotations
    @throws( ... )

  8. val cookieName: String

    the CSRF cookie name

  9. def embedNew(res: MaybeResponse): Task[Response]

    Embed a token into a response *

  10. final def eq(arg0: AnyRef): Boolean

    Definition Classes
    AnyRef

  11. def equals(arg0: Any): Boolean

    Definition Classes
    AnyRef → Any

  12. def finalize(): Unit

    Attributes
    protected[java.lang]
    Definition Classes
    AnyRef
    Annotations
    @throws( classOf[java.lang.Throwable] )

  13. final def getClass(): Class[_]

    Definition Classes
    AnyRef → Any

  14. def hashCode(): Int

    Definition Classes
    AnyRef → Any

  15. val headerName: String

    your CSRF header name

  16. final def isInstanceOf[T0]: Boolean

    Definition Classes
    Any

  17. final def ne(arg0: AnyRef): Boolean

    Definition Classes
    AnyRef

  18. final def notify(): Unit

    Definition Classes
    AnyRef

  19. final def notifyAll(): Unit

    Definition Classes
    AnyRef

  20. final def synchronized[T0](arg0: ⇒ T0): T0

    Definition Classes
    AnyRef

  21. def toString(): String

    Definition Classes
    AnyRef → Any

  22. def validate(predicate: (Request) ⇒ Boolean = _.method.isSafe): (Service[Request, MaybeResponse]) ⇒ Service[Request, MaybeResponse]

    Constructs a middleware that will check for the csrf token presence on both the proper cookie, and header values.

    Constructs a middleware that will check for the csrf token presence on both the proper cookie, and header values.

    If it is a valid token, it will then embed a new one, to effectively randomize the complete token while avoiding the generation of a new secure random Id, to guard against [BREACH](http://breachattack.com/)

  23. final def wait(): Unit

    Definition Classes
    AnyRef
    Annotations
    @throws( ... )

  24. final def wait(arg0: Long, arg1: Int): Unit

    Definition Classes
    AnyRef
    Annotations
    @throws( ... )

  25. final def wait(arg0: Long): Unit

    Definition Classes
    AnyRef
    Annotations
    @throws( ... )

  26. def withNewToken: (Service[Request, MaybeResponse]) ⇒ Service[Request, MaybeResponse]

    Middleware to embed a csrf token into routes that do not have one.

    Middleware to embed a csrf token into routes that do not have one. *

Inherited from AnyRef

Inherited from Any

Ungrouped