NAME

Mojolicious::Plugin::CSRFDefender - Defend CSRF automatically in Mojolicious Application

VERSION

This document describes Mojolicious::Plugin::CSRFDefender.

SYNOPSIS

    # Mojolicious
    $self->plugin('Mojolicious::Plugin::CSRFDefender');

    # Mojolicious::Lite
    plugin 'Mojolicious::Plugin::CSRFDefender';

DESCRIPTION

This plugin defends CSRF automatically in Mojolicious Application. Following is the strategy.

output filter

When the application response body contains form tags with method="post", this inserts hidden input tag that contains token string into forms in the response body. For example, the application response body is

    <html>
      <body>
        <form method="post" action="/get">
          <input name="text" />
          <input type="submit" value="send" />
        </form>
      </body>
    </html>

this becomes

    <html>
      <body>
        <form method="post" action="/get">
        <input type="hidden" name="csrf_token" value="zxjkzX9RnCYwlloVtOVGCfbwjrwWZgWr" />
          <input name="text" />
          <input type="submit" value="send" />
        </form>
      </body>
    </html>

input check

For every POST requests, this module checks input parameters contain the collect token parameter. If not found, throws 403 Forbidden.

OPTIONS

    plugin 'Mojolicious::Plugin::CSRFDefender' => {
        parameter_name => 'param-csrftoken',
        session_key    => 'session-csrftoken',
        token_length   => 40,
        error_status   => 400,
        error_template => 'public/400.html',
    };

parameter_name(default:"csrftoken"): Name of the input tag for the token.
session_key(default:"csrftoken"): Name of the session key for the token.
token_length(default:32): Length of the token string.
error_status(default:403): Status code when CSRF is detected.
error_content(default:"Forbidden"): Content body when CSRF is detected.
error_template: Return content of the specified file as content body when CSRF is detected. Specify the file path from the application home directory.
onetime(default:0): If specified with 1, this plugin uses onetime token, that is, whenever client sent collect token and this middleware detect that, token string is regenerated.

METHODS

Mojolicious::Plugin::CSRFDefender inherits all methods from Mojolicious::Plugin and implements the following new ones.

`register`

    $plugin->register;

REPOSITORY

https://github.com/shibayu36/p5-Mojolicious-Plugin-CSRFDefender

AUTHOR

  C<< <shibayu36 {at} gmail.com> >>

LICENCE AND COPYRIGHT

This module is free software; you can redistribute it and/or modify it under the same terms as Perl itself. See perlartistic.

To install Mojolicious::Plugin::CSRFDefender, copy and paste the appropriate command in to your terminal.

cpanm

cpanm Mojolicious::Plugin::CSRFDefender

CPAN shell

perl -MCPAN -e shell
install Mojolicious::Plugin::CSRFDefender

For more information on module installation, please visit the detailed CPAN module installation guide.

	Global
`s`	Focus search bar
`?`	Bring up this help dialog

	GitHub
`g` `p`	Go to pull requests
`g` `i`	go to github issues (only if github is preferred repository)

	POD
`g` `a`	Go to author
`g` `c`	Go to changes
`g` `i`	Go to issues
`g` `d`	Go to dist
`g` `r`	Go to repository/SCM
`g` `s`	Go to source
`g` `b`	Go to file browse

	Search terms
module: (e.g. module:Plugin)
distribution: (e.g. distribution:Dancer auth)
author: (e.g. author:SONGMU Redis)
version: (e.g. version:1.00)