Yuki Shibazaki > Mojolicious-Plugin-CSRFDefender-0.0.6 > Mojolicious::Plugin::CSRFDefender

Download:
Mojolicious-Plugin-CSRFDefender-0.0.6.tar.gz

Dependencies

Annotate this POD

CPAN RT

New  1
Open  0
View/Report Bugs
Module Version: 0.0.6   Source   Latest Release: Mojolicious-Plugin-CSRFDefender-0.0.8

NAME ^

Mojolicious::Plugin::CSRFDefender - Defend CSRF automatically in Mojolicious Application

VERSION ^

This document describes Mojolicious::Plugin::CSRFDefender version 0.0.6

SYNOPSIS ^

    # Mojolicious
    $self->plugin('Mojolicious::Plugin::CSRFDefender');

    # Mojolicious::Lite
    plugin 'Mojolicious::Plugin::CSRFDefender';

DESCRIPTION ^

This plugin defends CSRF automatically in Mojolicious Application. Following is the strategy.

output filter

When the application response body contains form tags with method="post", this inserts hidden input tag that contains token string into forms in the response body. For example, the application response body is

    <html>
      <body>
        <form method="post" action="/get">
          <input name="text" />
          <input type="submit" value="send" />
        </form>
      </body>
    </html>

this becomes

    <html>
      <body>
        <form method="post" action="/get">
        <input type="hidden" name="csrf_token" value="zxjkzX9RnCYwlloVtOVGCfbwjrwWZgWr" />
          <input name="text" />
          <input type="submit" value="send" />
        </form>
      </body>
    </html>

input check

For every POST requests, this module checks input parameters contain the collect token parameter. If not found, throws 403 Forbidden.

OPTIONS ^

    plugin 'Mojolicious::Plugin::CSRFDefender' => {
        parameter_name => 'param-csrftoken',
        session_key    => 'session-csrftoken',
        token_length   => 40,
        error_status   => 400,
        error_template => 'public/400.html',
    };
parameter_name(default:"csrftoken")

Name of the input tag for the token.

session_key(default:"csrftoken")

Name of the session key for the token.

token_length(default:32)

Length of the token string.

error_status(default:403)

Status code when CSRF is detected.

error_content(default:"Forbidden")

Content body when CSRF is detected.

error_template

Return content of the specified file as content body when CSRF is detected. Specify the file path from the application home directory.

onetime(default:0)

If specified with 1, this plugin uses onetime token, that is, whenever client sent collect token and this middleware detect that, token string is regenerated.

METHODS ^

Mojolicious::Plugin::CSRFDefender inherits all methods from Mojolicious::Plugin and implements the following new ones.

register

    $plugin->register;

Register plugin in Mojolicious application.

SEE ALSO ^

REPOSITORY ^

https://github.com/shiba-yu36/p5-Mojolicious-Plugin-CSRFDefender

AUTHOR ^

  C<< <shibayu36 {at} gmail.com> >>

LICENCE AND COPYRIGHT ^

Copyright (c) 2011, Yuki Shibazaki <shibayu36 {at} gmail.com>. All rights reserved.

This module is free software; you can redistribute it and/or modify it under the same terms as Perl itself. See perlartistic.

syntax highlighting: