csrf-protection▌
aj-geddes/useful-ai-prompts · updated Apr 8, 2026
Implement comprehensive Cross-Site Request Forgery protection using synchronizer tokens, double-submit cookies, SameSite cookie attributes, and custom headers.
CSRF Protection
Table of Contents
Overview
Implement comprehensive Cross-Site Request Forgery protection using synchronizer tokens, double-submit cookies, SameSite cookie attributes, and custom headers.
When to Use
- Form submissions
- State-changing operations
- Authentication systems
- Payment processing
- Account management
- Any POST/PUT/DELETE requests
Quick Start
Minimal working example:
// csrf-protection.js
const crypto = require("crypto");
const csrf = require("csurf");
class CSRFProtection {
constructor() {
this.tokens = new Map();
this.tokenExpiry = 3600000; // 1 hour
}
/**
* Generate CSRF token
*/
generateToken() {
return crypto.randomBytes(32).toString("hex");
}
/**
* Create token for session
*/
createToken(sessionId) {
const token = this.generateToken();
const expiry = Date.now() + this.tokenExpiry;
this.tokens.set(sessionId, {
// ... (see reference guides for full implementation)
Reference Guides
Detailed implementations in the references/ directory:
| Guide | Contents |
|---|---|
| Node.js/Express CSRF Protection | Node.js/Express CSRF Protection |
| Double Submit Cookie Pattern | Double Submit Cookie Pattern |
| Python Flask CSRF Protection | Python Flask CSRF Protection |
| Frontend CSRF Implementation | Frontend CSRF Implementation |
| Origin and Referer Validation | Origin and Referer Validation |
Best Practices
✅ DO
- Use CSRF tokens for all state-changing operations
- Set SameSite=Strict on cookies
- Validate Origin/Referer headers
- Use secure, random tokens
- Implement token expiration
- Use HTTPS only
- Include tokens in AJAX requests
- Test CSRF protection
❌ DON'T
- Skip CSRF for authenticated requests
- Use GET for state changes
- Trust Origin header alone
- Reuse tokens
- Store tokens in localStorage
- Allow credentials in CORS without validation
Discussion
Product Hunt–style comments (not star reviews)- No comments yet — start the thread.
Ratings
4.8★★★★★69 reviews- ★★★★★Ganesh Mohane· Dec 28, 2024
I recommend csrf-protection for anyone iterating fast on agent tooling; clear intent and a small, reviewable surface area.
- ★★★★★Aditi Park· Dec 28, 2024
I recommend csrf-protection for anyone iterating fast on agent tooling; clear intent and a small, reviewable surface area.
- ★★★★★Nia White· Dec 24, 2024
csrf-protection reduced setup friction for our internal harness; good balance of opinion and flexibility.
- ★★★★★Chen Ndlovu· Dec 24, 2024
Solid pick for teams standardizing on skills: csrf-protection is focused, and the summary matches what you get after install.
- ★★★★★Harper Singh· Dec 20, 2024
csrf-protection is among the better-maintained entries we tried; worth keeping pinned for repeat workflows.
- ★★★★★Isabella Smith· Nov 15, 2024
csrf-protection has been reliable in day-to-day use. Documentation quality is above average for community skills.
- ★★★★★Benjamin Liu· Nov 11, 2024
Keeps context tight: csrf-protection is the kind of skill you can hand to a new teammate without a long onboarding doc.
- ★★★★★Nia Wang· Nov 7, 2024
csrf-protection reduced setup friction for our internal harness; good balance of opinion and flexibility.
- ★★★★★Isabella Huang· Oct 6, 2024
Useful defaults in csrf-protection — fewer surprises than typical one-off scripts, and it plays nicely with `npx skills` flows.
- ★★★★★Tariq Lopez· Oct 2, 2024
Registry listing for csrf-protection matched our evaluation — installs cleanly and behaves as described in the markdown.
showing 1-10 of 69