csrf-protection

Solid

Implements CSRF protection using synchronizer tokens, double-submit cookies, and SameSite attributes. Use when securing web forms, protecting state-changing endpoints, or implementing defense-in-depth authentication.

API & Backend 168 stars 27 forks Updated 4 weeks ago MIT

Install

View on GitHub

Quality Score: 89/100

Stars 20%

Recency 20%

Frontmatter 20%

Documentation 15%

100

Issue Health 10%

License 10%

100

Description 5%

100

Skill Content

# CSRF Protection Defend against Cross-Site Request Forgery attacks using multiple protection layers. ## Protection Methods | Method | How It Works | Browser Support | |--------|--------------|-----------------| | Synchronizer Token | Hidden form field validated server-side | All | | Double Submit | Cookie + header must match | All | | SameSite Cookie | Browser blocks cross-origin requests | Modern | ## Token-Based Protection (Express) ```javascript const crypto = require('crypto'); function generateToken() { return crypto.randomBytes(32).toString('hex'); } // Middleware app.use((req, res, next) => { if (!req.session.csrfToken) { req.session.csrfToken = generateToken(); } res.locals.csrfToken = req.session.csrfToken; next(); }); // Validation app.post('*', (req, res, next) => { const token = req.body._csrf || req.headers['x-csrf-token']; if (!token || !crypto.timingSafeEqual( Buffer.from(token), Buffer.from(req.session.csrfToken) )) { return res.status(403).json({ error: 'Invalid CSRF token' }); } next(); }); ``` ## SameSite Cookies ```javascript app.use(session({ cookie: { httpOnly: true, secure: true, sameSite: 'strict', // or 'lax' maxAge: 3600000 } })); ``` ## HTML Form Integration ```html <form method="POST" action="/transfer"> <input type="hidden" name="_csrf" value="<%= csrfToken %>"> <button type="submit">Submit</button> </form> ``` ## Best Practices - Apply to all state-changing requests (POST,...

Details

Author: secondsky
Repository: secondsky/claude-skills
Created: 7 months ago
Last Updated: 4 weeks ago
Language: TypeScript
License: MIT

Integrates with

Cloudflare · Cloud

Similar Skills

Semantically similar based on skill content — not just same category

AI & Automation Solid

validating-csrf-protection

This skill helps to identify Cross-Site Request Forgery (CSRF) vulnerabilities in web applications. It validates the implementation of CSRF protection mechanisms, such as synchronizer tokens, double-submit cookies, SameSite attributes, and origin validation. Use this skill when you need to analyze your application's security posture against CSRF attacks or when asked to "validate csrf", "check for csrf vulnerabilities", or "test csrf protection".

2,359 Updated today

jeremylongshore

AI & Automation Featured

csrf-protection-validator

Validate csrf protection validator operations. Auto-activating skill for Security Fundamentals. Triggers on: csrf protection validator, csrf protection validator Part of the Security Fundamentals skill category. Use when working with csrf protection validator functionality. Trigger with phrases like "csrf protection validator", "csrf validator", "csrf".

2,359 Updated today

jeremylongshore

API & Backend Solid

api-security-hardening

REST API security hardening with authentication, rate limiting, input validation, security headers. Use for production APIs, security audits, defense-in-depth, or encountering vulnerabilities, injection attacks, CORS issues.

168 Updated 4 weeks ago

secondsky