Mojolicious::Plugin::CSRFDefender - Defend CSRF automatically in Mojolicious Application
This document describes Mojolicious::Plugin::CSRFDefender.
# Mojolicious $self->plugin('Mojolicious::Plugin::CSRFDefender'); # Mojolicious::Lite plugin 'Mojolicious::Plugin::CSRFDefender';
This plugin defends CSRF automatically in Mojolicious Application. Following is the strategy.
When the application response body contains form tags with method="post", this inserts hidden input tag that contains token string into forms in the response body. For example, the application response body is
<html> <body> <form method="post" action="/get"> <input name="text" /> <input type="submit" value="send" /> </form> </body> </html>
this becomes
<html> <body> <form method="post" action="/get"> <input type="hidden" name="csrf_token" value="zxjkzX9RnCYwlloVtOVGCfbwjrwWZgWr" /> <input name="text" /> <input type="submit" value="send" /> </form> </body> </html>
For every POST requests, this module checks input parameters contain the collect token parameter. If not found, throws 403 Forbidden.
plugin 'Mojolicious::Plugin::CSRFDefender' => { parameter_name => 'param-csrftoken', session_key => 'session-csrftoken', token_length => 40, error_status => 400, error_template => 'public/400.html', };
Name of the input tag for the token.
Name of the session key for the token.
Length of the token string.
Status code when CSRF is detected.
Content body when CSRF is detected.
Return content of the specified file as content body when CSRF is detected. Specify the file path from the application home directory.
If specified with 1, this plugin uses onetime token, that is, whenever client sent collect token and this middleware detect that, token string is regenerated.
Mojolicious::Plugin::CSRFDefender inherits all methods from Mojolicious::Plugin and implements the following new ones.
register
$plugin->register;
Register plugin in Mojolicious application.
Mojolicious
https://github.com/shibayu36/p5-Mojolicious-Plugin-CSRFDefender
C<< <shibayu36 {at} gmail.com> >>
Copyright (c) 2011, Yuki Shibazaki <shibayu36 {at} gmail.com>. All rights reserved.
<shibayu36 {at} gmail.com>
This module is free software; you can redistribute it and/or modify it under the same terms as Perl itself. See perlartistic.
To install Mojolicious::Plugin::CSRFDefender, copy and paste the appropriate command in to your terminal.
cpanm
cpanm Mojolicious::Plugin::CSRFDefender
CPAN shell
perl -MCPAN -e shell install Mojolicious::Plugin::CSRFDefender
For more information on module installation, please visit the detailed CPAN module installation guide.