Documentation
¶
Index ¶
Constants ¶
This section is empty.
Variables ¶
This section is empty.
Functions ¶
func Protect ¶
func Protect() arx.Middleware
Protect returns a Middleware with default configuration. Requires session.Middleware() to run before it in the chain.
func TemplateField ¶
TemplateField returns an HTML hidden input element for use in server-rendered forms. Output: <input type="hidden" name="csrf_token" value="<token>"> The csrf middleware must run before this is called.
Types ¶
type Config ¶
type Config struct {
// SessionKey is the session key under which the CSRF token is stored.
// Default: "_csrf".
SessionKey string
// HeaderName is the request header checked on unsafe methods.
// Default: "X-CSRF-Token".
HeaderName string
// FieldName is the HTML form field name checked as a fallback to the header.
// Default: "csrf_token".
FieldName string
// ErrorHandler is called when CSRF validation fails.
// Default: returns 403 Forbidden with body {"error":"csrf validation failed"}.
ErrorHandler func(*arx.Context) error
}
Config holds the configuration for a Protector.
type Protector ¶
type Protector struct {
// contains filtered or unexported fields
}
Protector enforces CSRF token validation.
func (*Protector) Middleware ¶
func (p *Protector) Middleware() arx.Middleware
Middleware returns an arx.Middleware that enforces CSRF protection. On safe methods: injects the token as X-CSRF-Token response header. On unsafe methods: validates the submitted token; rejects with 403 on mismatch.
Source Files
Click to show internal directories.
Click to hide internal directories.