On this page:
current-csrf-token-generator
current-csrf-token
current-csrf-token-reader
current-csrf-error-handler
wrap-csrf

7 CSRF🔗

 (require koyo/csrf) package: koyo-lib

This module provides a wrapper function for protecting your application against CSRF attacks.

Contains the function that is used to generate new CSRF tokens.

parameter

(current-csrf-token)  (or/c #f non-empty-string?)

(current-csrf-token token)  void?
  token : (or/c #f non-empty-string?)
Holds the CSRF token for the current request. If the current request handler was wrapped with wrap-csrf, then this is guaranteed to contain a non-empty string.

parameter

(current-csrf-token-reader)

  (-> request? (or/c #f non-empty-string?))
(current-csrf-token-reader reader)  void?
  reader : (-> request? (or/c #f non-empty-string?))
Contains the function that is used to extract the current CSRF token from the request. The default implementation tries to extract the CSRF token from a header called x-csrf-token and, if that fails, then it tries to get it from a binding called csrf-token.

parameter

(current-csrf-error-handler)  (-> request? response?)

(current-csrf-error-handler handler)  void?
  handler : (-> request? response?)
Holds the request handler that is invoked when the request does not contain a valid CSRF token. The default implementation returns a 403 Forbidden response along with some HTML describing the issue.

procedure

((wrap-csrf sessions) handler)

  (-> request? any/c ... response?)
  sessions : session-manager?
  handler : procedure?
Wraps a handler such that any incoming DELETE, POST or PUT request that doesn’t contain a valid CSRF token is rejected by passing the request to current-csrf-error-handler.

CSRF tokens are automatically generated and stored in each users’ sessions. If a user’s session already contains a CSRF token, then it is reused until the session expires.

This wrapper must be applied after wrap-session.