Mojolicious::Plugin::CSRFProtect - Fully protects you from CSRF attacks
# Mojolicious $self->plugin('CSRFProtect'); # Mojolicious::Lite plugin 'CSRFProtect'; # Use "form_for" helper and all your html forms will have CSRF protection token <%= form_for login => (method => 'post') => begin %> <%= text_field 'first_name' %> <%= submit_button %> <% end %> # Place jquery_ajax_csrf_protection helper to your layout template # and all non GET/HEAD/OPTIONS AJAX requests will have CSRF protection token (requires JQuery) <%= jquery_ajax_csrf_protection %> # Custom error handling $self->plugin('CSRFProtect', on_error => sub { my $c = shift; # Do whatever you want here # ... });
Mojolicious::Plugin::CSRFProtect is a Mojolicious plugin which fully protects you from CSRF attacks.
It does following things:
1. Adds a hidden input (with name 'csrftoken') with CSRF protection token to every form (works only if you use form_for helper from Mojolicious::Plugin::TagHelpers.)
form_for
2. Adds the header "X-CSRF-Token" with CSRF token to every AJAX request (works with JQuery only)
3. Rejects all non GET/HEAD/OPTIONS requests without the correct CSRF protection token.
If you want protect your GET/HEAD/OPTIONS requests then you can do it manually
In template: <a href="/delete_user/123/?csrftoken=<%= csrftoken %>">
In controller: $self->is_valid_csrftoken()
on_error
You can pass custom error handling callback. For example
$self->plugin('CSRFProtect', on_error => sub { my $c = shift; $c->render(template => 'error_403', status => 403 ); });
This helper overrides the form_for helper from Mojolicious::Plugin::TagHelpers
and adds hidden input with CSRF protection token.
jquery_ajax_csrf_protection
This helper adds CSRF protection headers to all JQuery AJAX requests.
You should add <%= jquery_ajax_csrf_protection %> in head of your HTML page.
csrftoken
returns CSRF Protection token.
In templates <%= csrftoken %>
In controller $self->csrftoken;
is_valid_csrftoken
With this helper you can check $csrftoken manually. It will take $csrftoken from $c->param('csrftoken');
$self->is_valid_csrftoken() will return 1 or 0
Viktor Turskyi <koorchik@cpan.org>
Please report any bugs or feature requests to bug-mojolicious-plugin-csrfprotect at rt.cpan.org, or through the web interface at http://rt.cpan.org/NoAuth/ReportBug.html?Queue=Mojolicious-Plugin-CSRFProtect. I will be notified, and then you'll automatically be notified of progress on your bug as I make changes.
bug-mojolicious-plugin-csrfprotect at rt.cpan.org
Also you can report bugs to Github https://github.com/koorchik/Mojolicious-Plugin-CSRFProtect/
This plugin followes the same aproach but it works in different manner.
It will parse your response body searching for '<form>' tag and then will insert CSRF token there.
Copyright 2011 Viktor Turskyi
This program is free software; you can redistribute it and/or modify it under the terms of either: the GNU General Public License as published by the Free Software Foundation; or the Artistic License.
See http://dev.perl.org/licenses/ for more information.
To install Mojolicious::Plugin::CSRFProtect, copy and paste the appropriate command in to your terminal.
cpanm
cpanm Mojolicious::Plugin::CSRFProtect
CPAN shell
perl -MCPAN -e shell install Mojolicious::Plugin::CSRFProtect
For more information on module installation, please visit the detailed CPAN module installation guide.