The Perl Toolchain Summit needs more sponsors. If your company depends on Perl, please support this very important event.
 / 
Mojolicious-Plugin-DeCSRF-0.94
River stage zero No dependents
4 ++
/ Mojolicious::Plugin::DeCSRF

NAME

Mojolicious::Plugin::DeCSRF - Defend from CSRF attacks centrally.

SYNOPSIS

  # Mojolicious::Lite
  #!/usr/bin/env perl
  
  use Mojolicious::Lite;

  plugin 'DeCSRF' => {
    on_mismatch => sub {
      shift->render(template => '503', status => 503);
    },
    token_length => 8,
    token_name => 'csrf',
    urls => qw~/protected~
  };
  
  get '/' => sub {
    my $self = shift;
  } => 'index';
  
  get '/protected' => sub {
    my $self = shift;
  } => 'protected';

  app->start();
  
  __DATA__
  @@ layouts/default.html.ep
  <html>
    <body><%= content %></body>
  </html>
  @@ protected.html.ep
  % layout 'default';
  <a href="<%= decsrf->url('index') %>">Home</a>
  @@ index.html.ep
  % layout 'default';
  <a href="<%= decsrf->url('protected') %>">Protected</a>
  @@ 503.html.ep
  Service error!

DESCRIPTION

Mojolicious::Plugin::DeCSRF is a Mojolicious plugin that defend the framework from CSRF attacks centrally. With "good" strategy you have flexible control of the urls. "Good" strategy is wrap all of the urls with decsrf->url(URL) and control all urls that must be protected at one place with decsrf->urls().

OPTIONS

Options can change at any time.

decsrf->on_mismatch

Set custom mismatch handling callback. Default is $self->render( text => "Forbidden!", status => 403);

  decsrf->on_mismatch( sub {
    shift->render(template => '503', status => 503);
  } );

decsrf->token_length

Set custom token length. Default length is 4 symbols from 'A-Z', 'a-z', '0-9', '@', '$', '-', '_' ranges.

  decsrf->token_length(40);

decsrf->token_name

Set custom token name in url and session parameters. Default name is 'token'.

  decsrf->token_name('csrf');

decsrf->urls

Set urls that must be protected. perlre can used.

  decsrf->urls([qw~/protected /.*?ected~]);
  push @{decsrf->urls}, qw~/protected /.*?ected~;

METHODS

Mojolicious::Plugin::DeCSRF inherits all methods from Mojolicious::Plugin and implements the following new ones.

register

  $plugin->register();

Register plugin in Mojolicious application.

decsrf->url

Add 'token' param to url that match with decsrf->urls.

  #/protected?token=XXXX
  decsrf->url('/protected');
  
  #/protected?foo=bar&token=XXXX
  decsrf->url('/protected?foo=bar');

AUTHOR

Ilya Tokarev <sysadm@cpan.org>

COPYRIGHT AND LICENSE

Copyright (C) 2013, Ilya Tokarev.

This program is free software, you can redistribute it and/or modify it under the terms of the Artistic License version 2.0.

SEE ALSO

Mojolicious, Mojolicious::Guides, http://mojolicio.us.