Announcing express-csrf, CSRF protection for Express
17 September 2010
We are happy to announce our first, admittedly very simple, module for Node.js. It helps to combat cross-site request forgery in the Express web framework for Node. Read more about Node and Express later in this post.
The module, express-csrf, is just a couple of helper functions for combating cross-site request forgery. It adds a csrf token to all views, which you can add as a hidden input field to your forms. This token is also added to the user's session, and the csrf token in the POST body must match the one in the session. If they don't match, an error is thrown. This is basically it. Read more about how the module works, and how to install and use it, in the README.
If you use Express and want CSRF protection, this module is for you! If you just wish to poke around in the code, feel free to do so. The repository is available on our GitHub page: http://github.com/hanssonlarsson/express-csrf.
While a lot of apps can be built directly on top of Node, it's pretty barebone and doesn't have tools for working with things like sessions, views, logging, request routing and so forth. For this, we have been using Express. Express is a web framework inspired by Ruby's Sinatra, built on top of the Connect middleware. It helps with a lot of these things and is a joy to work with.
About Hansson & Larsson
We are two programmers in Stockholm, Sweden, trying to juggle our own projects, startup businesses together with others, and consulting gigs (we have to bring home the bread) with some luck. You can find out a little bit more about us on the home page!