CSRF Protection

Table of Contents

• Overview
• When to Use
• Quick Start
• Reference Guides
• Best Practices

Overview

Implement comprehensive Cross-Site Request Forgery protection using synchronizer tokens, double-submit cookies, SameSite cookie attributes, and custom headers.

When to Use

• Form submissions
• State-changing operations
• Authentication systems
• Payment processing
• Account management
• Any POST/PUT/DELETE requests

Quick Start

Minimal working example:

// csrf-protection.js
const crypto = require("crypto");
const csrf = require("csurf");

class CSRFProtection {
  constructor() {
    this.tokens = new Map();
    this.tokenExpiry = 3600000; // 1 hour
  }

  /**
   * Generate CSRF token
   */
  generateToken() {
    return crypto.randomBytes(32).toString("hex");
  }

  /**
   * Create token for session
   */
  createToken(sessionId) {
    const token = this.generateToken();
    const expiry = Date.now() + this.tokenExpiry;

    this.tokens.set(sessionId, {
// ... (see reference guides for full implementation)

Reference Guides

Detailed implementations in the references/ directory:

Guide	Contents
Node.js/Express CSRF Protection	Node.js/Express CSRF Protection
Double Submit Cookie Pattern	Double Submit Cookie Pattern
Python Flask CSRF Protection	Python Flask CSRF Protection
Frontend CSRF Implementation	Frontend CSRF Implementation
Origin and Referer Validation	Origin and Referer Validation

Best Practices

✅ DO

• Use CSRF tokens for all state-changing operations
• Set SameSite=Strict on cookies
• Validate Origin/Referer headers
• Use secure, random tokens
• Implement token expiration
• Use HTTPS only
• Include tokens in AJAX requests
• Test CSRF protection

❌ DON'T

• Skip CSRF for authenticated requests
• Use GET for state changes
• Trust Origin header alone
• Reuse tokens
• Store tokens in localStorage
• Allow credentials in CORS without validation