禁用Express的某些请求的csrf验证 [英] Disable csrf validation for some requests on Express
问题描述
var express = require('express');
var app = express();
app.use(express.bodyParser());
app.use(express.cookieParser());
app.use(express.cookieSession({secret:'secret'}));
app.use(express.csrf());
我想设置没有csrf控件的POST路由。
有几种可能的方法。您基本上需要了解什么是最简单和最正确的规则来决定是否使用csrf中间件。如果你想要csrf大部分时间,除了小白名单的请求模式,请按照这个答案我有关于条件日志中间件
var express = require(express);
var csrf = express.csrf();
var app = express.createServer();
var conditionalCSRF = function(req,res,next){
//根据req.path或其他任何
在适当的情况下计算needCSRF if(needCSRF){
csrf(req,res,next);
} else {
next();
}
}
app.use(conditionalCSRF);
app.listen(3456);
另一种方法可能只是在某些路径上使用中间件,如应用程序。 post('/ forms / *',express.csrf())
。您只需要找到一种表现力的方法,使中间件将被或不会被使用时清洁。
I'm writing a small web app with Node.js using the Express framework. I'm using the csrf middleware, but I want to disable it for some requests. This is how I include it in my app:
var express = require('express');
var app = express();
app.use(express.bodyParser());
app.use(express.cookieParser());
app.use(express.cookieSession({secret: 'secret'}));
app.use(express.csrf());
I want to set a POST route without the csrf control.
There are several possible approaches. You basically need to understand what is the simplest and most correct rule to decide whether or not to use the csrf middleware. If you want csrf most of the time, except for a small whitelist of request patterns, follow the example in this answer I have about conditional logging middleware (copied below for convenience).
var express = require("express");
var csrf = express.csrf();
var app = express.createServer();
var conditionalCSRF = function (req, res, next) {
//compute needCSRF here as appropriate based on req.path or whatever
if (needCSRF) {
csrf(req, res, next);
} else {
next();
}
}
app.use(conditionalCSRF);
app.listen(3456);
Another approaches could be only using the middleware on a certain path like app.post('/forms/*', express.csrf())
. You just want to find an expressive way to make it clean when the middleware will or will not be used.
这篇关于禁用Express的某些请求的csrf验证的文章就介绍到这了,希望我们推荐的答案对大家有所帮助,也希望大家多多支持IT屋!