Cross-Site Request Forgery (abbreviated as CSRF or XSRF), also known as one-click attack or session riding, is an attack method that coerces a user to perform unintended actions on a currently authenticated web application. Compared to Cross-Site Scripting (XSS), XSS exploits the trust a user has in a particular site, while CSRF exploits the trust that a site has in a user’s web browser.

How to Defend

Here, we choose to validate requests using token through middleware, with the CSRF cross-site defense plugin provided by the community package.

Developers can add middleware to the API to include token verification functionality.

Interested parties can read the plugin source code at https://github.com/gogf/csrf.

Usage

Import Plugin Package

  1. import "github.com/gogf/csrf"

Configure API Middleware

The csrf plugin supports custom csrf.Config configuration. In Config, Cookie.Name is the name of the token set by the middleware in the returned Cookie, ExpireTime is the timeout for the token, TokenLength is the token length, and TokenRequestKey is the name of the parameter required to be included in subsequent requests.

  1. s := g.Server()
  2. s.Group("/api.v2", func(group *ghttp.RouterGroup) {
  3. group.Middleware(csrf.NewWithCfg(csrf.Config{
  4. Cookie: &http.Cookie{
  5. Name: "_csrf", // token name in cookie
  6. },
  7. ExpireTime: time.Hour * 24,
  8. TokenLength: 32,
  9. TokenRequestKey: "X-Token", // use this key to read token in request param
  10. }))
  11. group.ALL("/csrf", func(r *ghttp.Request) {
  12. r.Response.Writeln(r.Method + ": " + r.RequestURI)
  13. })
  14. })

Front-end Integration

After configuration, the front-end reads the value of _csrf (i.e., token) from the Cookie before making a POST request, and includes the token in the request as the X-Token (set by TokenRequestKey) parameter name (either in Header or Form) to pass the token verification.

Code Example

Using Default Configuration

  1. package main
  2. import (
  3. "net/http"
  4. "time"
  5. "github.com/gogf/csrf"
  6. "github.com/gogf/gf/v2/frame/g"
  7. "github.com/gogf/gf/v2/net/ghttp"
  8. )
  9. // default cfg
  10. func main() {
  11. s := g.Server()
  12. s.Group("/api.v2", func(group *ghttp.RouterGroup) {
  13. group.Middleware(csrf.New())
  14. group.ALL("/csrf", func(r *ghttp.Request) {
  15. r.Response.Writeln(r.Method + ": " + r.RequestURI)
  16. })
  17. })
  18. s.SetPort(8199)
  19. s.Run()
  20. }

Using Custom Configuration

  1. package main
  2. import (
  3. "net/http"
  4. "time"
  5. "github.com/gogf/csrf"
  6. "github.com/gogf/gf/v2/frame/g"
  7. "github.com/gogf/gf/v2/net/ghttp"
  8. )
  9. // set cfg
  10. func main() {
  11. s := g.Server()
  12. s.Group("/api.v2", func(group *ghttp.RouterGroup) {
  13. group.Middleware(csrf.NewWithCfg(csrf.Config{
  14. Cookie: &http.Cookie{
  15. Name: "_csrf", // token name in cookie
  16. Secure: true,
  17. SameSite: http.SameSiteNoneMode, // custom samesite
  18. },
  19. ExpireTime: time.Hour * 24,
  20. TokenLength: 32,
  21. TokenRequestKey: "X-Token", // use this key to read token in request param
  22. }))
  23. group.ALL("/csrf", func(r *ghttp.Request) {
  24. r.Response.Writeln(r.Method + ": " + r.RequestURI)
  25. })
  26. })
  27. s.SetPort(8199)
  28. s.Run()
  29. }

Experience the Effect Through Request

http://localhost:8199/api.v2/csrf