Comments (19)
I'm no @jeffharrell, however ...
If you check out the options meddleware accepts, you'll find this:
route
(string, optional) - An express route against which the middleware should be registered.
Basically, all that meddleware does there is app.use(yourRoute, yourMiddleware)
(with some fancy route resolution to support nested apps and stuff—check out the source if you want to find out more about that).
So, assuming you want csrf only on routes under /protect
, you could add a config/config.json
with the following:
{
"middleware": {
"appsec": {
"priority": 110,
"module": {
"name": "lusca",
"arguments": [
{
"csrf": false,
"xframe": "SAMEORIGIN",
"p3p": false,
"csp": false
}
]
}
},
"appsecprotect": {
"route": "/protect",
"enabled": true,
"priority": 111,
"module": {
"name": "lusca",
"arguments": [
{
"csrf": true
}
]
}
}
}
}
A quick explanation:
The appsec
section is to turn off the default action by kraken to enable csrf. The appsecprotect
section is to turn it back on only for routes that begin with /protect
.
You can see this working here. Spin up that server and, hit /anything
and it'll return 'unknown'. Hit '/protect' and it'll show you the token.
from kraken-js.
Right now it's all or nothing. This is an interesting requirement though. Let me see what I can do when I'm back from node summit.
-- Jeff
On Dec 4, 2013, at 6:44 AM, "Cristiano Betta" <[email protected]mailto:[email protected]> wrote:
Part of my app is an API. How do I disable CSRF for this and only this action?
—
Reply to this email directly or view it on GitHubhttps://github.com//issues/46.
from kraken-js.
@jeffharrell yeah. Would also like to see how this exactly is supposed to integrate into clientside JS posts. Or is that taken care of already?
from kraken-js.
Client-side posts done through JavaScript would just need to pass the _csrf
value as a body param when CSRF is enabled. This value comes back in the page model, so it could either be injected into the JavaScript or pulled from the page via JavaScript when the page is rendered.
from kraken-js.
Closing as it doesn't belong in this repo.
from kraken-js.
Any idea when this feature is going to be release?
from kraken-js.
Would love to know when this feature is going to be released.
from kraken-js.
This is now possible using Kraken 1.0's meddleware config and setting the routes property on lusca/csrf.
from kraken-js.
@jeffharrell Can you give a quick example of disabling CSRF for a specific route in the meddleware config?
from kraken-js.
Works perfect, thanks!
from kraken-js.
Worth mentioning that what's happening here is, for /protect
routes, lusca as registered by appsec
kicks in, then lusca as registered by appsecprotect
kicks in immediately afterwards. If lusca was destructive, that could cause a problem. In this case, since it's not, it merely adds csrf without disabling the others.
I mention this because the reverse—disabling csrf for only some routes—would not work with this pattern.
from kraken-js.
Ahh, yes it actually isn’t working for the disabling csrf. Any options for that? Disabling on certain routes is what I really want actually.
From: Jean-Charles Sisk <[email protected]mailto:[email protected]>
Reply-To: krakenjs/kraken-js <[email protected]mailto:[email protected]>
Date: Monday, July 7, 2014 at 6:00 PM
To: krakenjs/kraken-js <[email protected]mailto:[email protected]>
Cc: Christopher Severs <[email protected]mailto:[email protected]>
Subject: Re: [kraken-js] Disable CSRF for some paths (#46)
Worth mentioning that what's happening here is, for /protect routes, lusca as registered by appsec kicks in, then lusca as registered by appsecprotect kicks in immediately afterwards. If lusca was destructive, that could cause a problem. In this case, since it's not, it merely adds csrf without disabling the others.
I mention this because the reverse—disabling csrf for only some routes—would not work with this pattern.
—
Reply to this email directly or view it on GitHubhttps://github.com//issues/46#issuecomment-48260470.
from kraken-js.
Can't confirm any of this stuff at the moment (on a tablet) but, off the top of my head ...
First, express can take a regular express as a mountpoint. You could register a regex with a negative lookahead to not match on specific routes. Let's say, for example you want to disable csrf for /api
routes. The regex you'd want is /^(?!\/api).+$/
. The middleware registered against that route will fire for everything BUT routes that start with /api
. As I recall, we don't support regex routes in meddleware since json doesn't support regex but I could be mistaken (give it a shot). Could potentially do some funky stuff since we do some mountpath resolution on your behalf but as long as you don't set express:mountpath
, don't register kraken with app.use('/someMountPath', kraken())
, and don't mount a sub-application, you shouldn't have anything to worry about.
Next, you could disable lusca in config, then write and config your own middleware that conditionally calls the lusca middleware based on the req path. The path <-> regex resolution in express is provided by the path-to-regexp module; you could use that to ensure that your test for /api
works the same way as express and then either call next()
if it succeeds (i.e., is a /api
route) or lusca(options)(req, res, next);
if not.
from kraken-js.
Just tried for disabling csrf for only one route, while enabling everything else. Still does not work - any work around yet? Thanks!
For reference, my config.json
contains:
...
"appsec": {
"enabled": true,
"priority": 110,
"module": {
"name": "lusca",
"arguments": [
{
"csrf": true,
"xframe": "SAMEORIGIN",
"p3p": false,
"csp": false
}
]
}
},
"appsecallocate": {
"route": "/allocate",
"priority": 111,
"module": {
"name": "lusca",
"arguments": [
{
"csrf": false,
"xframe": "SAMEORIGIN",
"p3p": false,
"csp": false
}
]
}
},
...
from kraken-js.
This should be documented somewhere. The only place I could find out how to turn of CSRF / and appsec in general is this thread.
from kraken-js.
@bthibault the README mentions application security and shows lusca's default configuration (see appsec
in the included middleware section). That said, perhaps this would be a good candidate for the FAQ?
from kraken-js.
I'm trying to turn on CSRF security on more than 1 route..
"appsecprotect": {
"route": "/allocate|/resources",
"enabled": true,
"priority": 111,
"module": {
"name": "lusca",
"arguments": [
{
"csrf": true
}
]
}
}
gives me {_csrf} value on both routes.. is that the proper way of specifying?
from kraken-js.
See #193
from kraken-js.
cool so basically REGEX will do..
from kraken-js.
Related Issues (20)
- How to access image from directory located outside the workspace? HOT 1
- Uglify-js has security issues HOT 1
- Templates in public directory? HOT 2
- remove bluebird 🔥 HOT 5
- Support Async Middleware HOT 6
- Is it alive? HOT 3
- remove domains? HOT 16
- formidable events not firing properly in kraken HOT 1
- Koa port HOT 1
- Ajax with krakenjs HOT 1
- Upload multiple images krakenjs using ajax HOT 1
- Creating New Project using yo for Ubuntu 16.04 HOT 6
- Server is starting (status 503) HOT 3
- Dead? HOT 6
- Add node 12 in travis CI
- [Devdeps][security] replace jade with pug
- Yo Kraken Error HOT 9
- Kraken.js - yo kraken Error kraken primordials is not defined HOT 3
- Name of this library HOT 1
- Feature request: ability to use `config/*.js` instead of json
Recommend Projects
-
React
A declarative, efficient, and flexible JavaScript library for building user interfaces.
-
Vue.js
🖖 Vue.js is a progressive, incrementally-adoptable JavaScript framework for building UI on the web.
-
Typescript
TypeScript is a superset of JavaScript that compiles to clean JavaScript output.
-
TensorFlow
An Open Source Machine Learning Framework for Everyone
-
Django
The Web framework for perfectionists with deadlines.
-
Laravel
A PHP framework for web artisans
-
D3
Bring data to life with SVG, Canvas and HTML. 📊📈🎉
-
Recommend Topics
-
javascript
JavaScript (JS) is a lightweight interpreted programming language with first-class functions.
-
web
Some thing interesting about web. New door for the world.
-
server
A server is a program made to process requests and deliver data to clients.
-
Machine learning
Machine learning is a way of modeling and interpreting data that allows a piece of software to respond intelligently.
-
Visualization
Some thing interesting about visualization, use data art
-
Game
Some thing interesting about game, make everyone happy.
Recommend Org
-
Facebook
We are working to build community through open source technology. NB: members must have two-factor auth.
-
Microsoft
Open source projects and samples from Microsoft.
-
Google
Google ❤️ Open Source for everyone.
-
Alibaba
Alibaba Open Source for everyone
-
D3
Data-Driven Documents codes.
-
Tencent
China tencent open source team.
from kraken-js.