Security¶
Linz comes with a number of security features out of the box including:
- CSRF Protection
CSRF Protection¶
CSRF protection helps prevent unauthorized commands that are transmitted from a user that the web application trusts.
You can read more about CSRF on OWASP.
Customising CSRF¶
Linz uses the csurf module to provide CSRF protection.
To customise the options you can supply Linz with the option 'csrf options: {}'
. It accepts an object with the same properties as the csurf module:
linz.init({
'options': {
'csrf options': {},
},
});
Custom error handler¶
CSRF errors throw an error with the code err.code === 'EBADCSRFTOKEN'
. You can use this in your error handlers to display a custom message.
For example, here is a snippet from the linz error middleware:
module.exports = function (err, req, res, next) {
if (err.code === 'EBADCSRFTOKEN') {
err.message = (!req.body._csrf || req.body._csrf === 'undefined') ? 'No CSRF token was provided.' : 'The wrong CSRF token was provided.';
}
...
}
Adding CSRF protection to a custom form¶
The csurf module exposes the csrf token via req.csrfToken()
.
When implementing a custom page with a form, make sure to pass the following hidden input:
<input type="hidden" name="_csrf" value="{{csrfToken}}">
This is handled automatically for you when using linz.api.model.generateFormString()
. Just make sure to add the csrfToken option:
linz.api.model.generateFormString(linz.api.model.get('user'), { csrfToken: req.csrfToken() });