class Azu::Handler::CSRF

• Azu::Handler::CSRF
• Reference
• Object

Overview

The CSRF Handler implements Cross-Site Request Forgery protection following OWASP recommendations for token-based mitigation

Included Modules

• HTTP::Handler

Defined in:

azu/handler/csrf.cr

Constant Summary

COOKIE_KEY = "csrf_token"

COOKIE_MAX_AGE = 86400

Cookie configuration

COOKIE_SAME_SITE = HTTP::Cookie::SameSite::Strict

HEADER_KEY = "X-CSRF-TOKEN"

Headers and parameters for CSRF tokens

HMAC_SECRET_LENGTH = 64

PARAM_KEY = "_csrf"

TOKEN_LENGTH = 32

Token configuration

UNSAFE_METHODS = ["POST", "PUT", "PATCH", "DELETE"] of ::String

HTTP methods that require CSRF protection

Constructors

• .default : CSRF

  Get default instance (backward compatibility) Uses double-checked locking to avoid mutex contention

• .new(skip_routes : Array(String) = [] of String, strategy : Strategy = Strategy::SignedDoubleSubmit, secret_key : String | Nil = nil, cookie_name : String = COOKIE_KEY, header_name : String = HEADER_KEY, param_name : String = PARAM_KEY, cookie_max_age : Int32 = COOKIE_MAX_AGE, cookie_same_site : HTTP::Cookie::SameSite = COOKIE_SAME_SITE, secure_cookies : Bool = true)

Class Method Summary

• .configure(&)

  Configuration block

• .cookie_max_age
• .cookie_max_age=(value : Int32)
• .cookie_name
• .cookie_name=(value : String)
• .header_name
• .header_name=(value : String)
• .metatag(context : HTTP::Server::Context) : String
• .param_name
• .param_name=(value : String)
• .reset_default!

  Reset default instance (useful for testing)

• .secret_key
• .secret_key=(value : String)
• .secure_cookies
• .secure_cookies=(value : Bool)
• .strategy

  Class-level property accessors that delegate to default instance

• .strategy=(value : Strategy)
• .tag(context : HTTP::Server::Context) : String
• .token(context : HTTP::Server::Context) : String

  Class-level methods for backward compatibility These delegate to the default instance

• .use_double_submit!
• .use_signed_double_submit!

  Configuration helper methods

• .use_synchronizer_token!
• .validate_origin(context : HTTP::Server::Context) : Bool

Instance Method Summary

• #call(context : HTTP::Server::Context)
• #cookie_max_age : Int32
• #cookie_max_age=(cookie_max_age : Int32)
• #cookie_name : String
• #cookie_name=(cookie_name : String)
• #cookie_same_site : HTTP::Cookie::SameSite
• #cookie_same_site=(cookie_same_site : HTTP::Cookie::SameSite)
• #header_name : String
• #header_name=(header_name : String)
• #metatag(context : HTTP::Server::Context) : String

  Generate meta tag with CSRF token for AJAX requests

• #param_name : String
• #param_name=(param_name : String)
• #secret_key : String
• #secret_key=(secret_key : String)
• #secure_cookies=(secure_cookies : Bool)
• #secure_cookies? : Bool
• #strategy : Strategy

  Instance-level configuration properties

• #strategy=(strategy : Strategy)

  Instance-level configuration properties

• #tag(context : HTTP::Server::Context) : String

  Generate HTML hidden input with CSRF token

• #token(context : HTTP::Server::Context) : String

  Generate CSRF token for forms/AJAX requests

• #valid_token?(context : HTTP::Server::Context) : Bool

  Validate CSRF token based on configured strategy

• #validate_origin(context : HTTP::Server::Context) : Bool

  Origin validation (additional security layer)

Constructor Detail

Class Method Detail

Instance Method Detail