Skip to content

Morgbn/nuxt-csurf

2 Branches20 Tags

Folders and files

NameName
Last commit message
Last commit date

Latest commit

semantic-release-botsemantic-release-bot
chore(release): 🔖 1.6.5 [skip ci]
Oct 29, 2024
7ae2b3c · Oct 29, 2024

History

102 Commits
.github/workflows
.github/workflows
Mar 20, 2024
playground
playground
Oct 29, 2024
src
src
Oct 29, 2024
.editorconfig
.editorconfig
Jan 17, 2023
.gitignore
.gitignore
Jan 17, 2023
.npmrc
.npmrc
Jan 17, 2023
.nuxtrc
.nuxtrc
Dec 21, 2023
.releaserc
.releaserc
Sep 9, 2023
.yarnrc.yml
.yarnrc.yml
Mar 20, 2024
CHANGELOG.md
CHANGELOG.md
Oct 29, 2024
LICENSE
LICENSE
Mar 10, 2023
README.md
README.md
Oct 29, 2024
eslint.config.mjs
eslint.config.mjs
Aug 20, 2024
package.json
package.json
Oct 29, 2024
tsconfig.json
tsconfig.json
Dec 15, 2023
yarn.lock
yarn.lock
Oct 29, 2024

Repository files navigation

nuxt-oa-social-card

npm version npm downloads License Nuxt

Nuxt Csurf

Cross-Site Request Forgery (CSRF) prevention.
Create a middleware for CSRF token creation and validation.

✅ Supports Node.js server & serverless environments
✅ Supports both universal and client-side rendering (ssr: true|false)
✅ Per-route configuration
✅ TypeScript
❌ Don't support static hosting and nitro prerender due to certain limitations *

Installation

npx nuxi@latest module add csurf

Global configuration

// nuxt.config.js
export default defineNuxtConfig({
  modules: ['nuxt-csurf'],
  csurf: { // optional
    https: false, // default true if in production
    cookieKey: '', // "__Host-csrf" if https is true otherwise just "csrf"
    cookie: { // CookieSerializeOptions from unjs/cookie-es
      path: '/',
      httpOnly: true,
      sameSite: 'strict'
    },
    methodsToProtect: ['POST', 'PUT', 'PATCH'], // the request methods we want CSRF protection for
    encryptSecret: /** a 32 bits secret */, // for stateless server (like serverless runtime), random bytes by default
    encryptAlgorithm: 'aes-256-cbc', // by default 'aes-256-cbc' (node), 'AES-CBC' (serverless)
    addCsrfTokenToEventCtx: true, // default false, to run useCsrfFetch on server set it to true
    headerName: 'csrf-token' // the header where the csrf token is stored
  } 
})

Per route configuration

To enable per-route configuration, use the routeRules like following:

export default defineNuxtConfig({
  routeRules: {
    '/api/nocsrf': {
      csurf: false
    },
    '/api/test': {
      csurf: {
        methodsToProtect: ['POST'] // protect POST request only
      }
    }
  }
})

useCsrfFetch

This composable provides a convenient wrapper around useFetch. It automatically adds the CSRF token in headers.

const { data, pending, error, refresh } = useCsrfFetch('/api/login', { query: param1: 'value1' })

$csrfFetch

This helper provides a convenient wrapper around $fetch. It automatically adds the CSRF token in headers.

const { $csrfFetch } = useNuxtApp()
const { data } = await $csrfFetch('/api/login', { method: 'POST', body: , headers:  })

useCsrf

Use this composable if you need to access to the CSRF token value.

const { csrf } = useCsrf()
console.log(csrf) // something like: mo4+MrFaeXP7fhAie0o2qw==:tLUaqtHW6evx/coGQVAhtGAR+v6cxgFtrqmkOsuAMag8PHRnMwpbGGUO0TPJjL+4

Try production on localhost (yarn preview):

NITRO_CSURF_HTTPS=false
NITRO_CSURF_COOKIE_KEY=csrf

Limitations

The CSRF Token value is stored in the DOM as described in Owasp's CSRF cheatsheet. So the DOM has to be generated for each new page request, which is not the case with a static site (or prerendered routes). See error #42

Credits

About

Nuxt Cross-Site Request Forgery (CSRF) Prevention

nuxt-csurf.vercel.app

Resources

Readme

License

MIT license
Activity

Stars

82 stars

Watchers

1 watching

Forks

15 forks
Report repository

Releases 20

v1.6.5 Latest
Oct 29, 2024
+ 19 releases

Packages

No packages published

Contributors 4

Languages