On this page:


 (require koyo/csrf) package: koyo-lib

This module provides a wrapper function for protecting your application against CSRF attacks.

Contains the function that is used to generate new CSRF tokens.

Holds the CSRF token for the current request. If the current request handler was wrapped with wrap-csrf, then this is guaranteed to contain a non-empty string.

Contains the function that is used to extract the current CSRF token from the request. The default implementation tries to extract the CSRF token from a header called x-csrf-token and, if that fails, then it tries to get it from a binding called csrf-token.


(current-csrf-error-handler)  (-> request? response?)

(current-csrf-error-handler handler)  void?
  handler : (-> request? response?)
Holds the request handler that is invoked when the request does not contain a valid CSRF token. The default implementation returns a 403 Forbidden response along with some HTML describing the issue.


((wrap-csrf sessions) handler)

  (-> request? any/c ... response?)
  sessions : session-manager?
  handler : procedure?
Wraps a handler such that any incoming DELETE, POST or PUT request that doesn’t contain a valid CSRF token is rejected by passing the request to current-csrf-error-handler.

CSRF tokens are automatically generated and stored in each users’ sessions. If a user’s session already contains a CSRF token, then it is reused until the session expires.

This wrapper must be applied after wrap-session.