Mojolicious::Plugin::DeCSRF - Defend from CSRF attacks centrally.
# Mojolicious::Lite #!/usr/bin/env perl use Mojolicious::Lite; plugin 'DeCSRF' => { on_mismatch => sub { shift->render(template => '503', status => 503); }, token_length => 8, token_name => 'csrf', urls => qw~/protected~ }; get '/' => sub { my $self = shift; } => 'index'; get '/protected' => sub { my $self = shift; } => 'protected'; app->start(); __DATA__ @@ layouts/default.html.ep <html> <body><%= content %></body> </html> @@ protected.html.ep % layout 'default'; <a href="<%= decsrf->url('index') %>">Home</a> @@ index.html.ep % layout 'default'; <a href="<%= decsrf->url('protected') %>">Protected</a> @@ 503.html.ep Service error!
Mojolicious::Plugin::DeCSRF is a Mojolicious plugin that defend the framework from CSRF attacks centrally. With "good" strategy you have flexible control of the urls. "Good" strategy is wrap all of the urls with decsrf->url(URL) and control all urls that must be protected at one place with decsrf->urls().
Options can change at any time.
decsrf->on_mismatch
Set custom mismatch handling callback. Default is $self->render( text => "Forbidden!", status => 403);
decsrf->on_mismatch( sub { shift->render(template => '503', status => 503); } );
decsrf->token_length
Set custom token length. Default length is 4 symbols from 'A-Z', 'a-z', '0-9', '@', '$', '-', '_' ranges.
decsrf->token_length(40);
decsrf->token_name
Set custom token name in url and session parameters. Default name is 'token'.
decsrf->token_name('csrf');
decsrf->urls
Set urls that must be protected. perlre can used.
decsrf->urls([qw~/protected /.*?ected~]); push @{decsrf->urls}, qw~/protected /.*?ected~;
Mojolicious::Plugin::DeCSRF inherits all methods from Mojolicious::Plugin and implements the following new ones.
register
$plugin->register();
Register plugin in Mojolicious application.
decsrf->url
Add 'token' param to url that match with decsrf->urls.
#/protected?token=XXXX decsrf->url('/protected'); #/protected?foo=bar&token=XXXX decsrf->url('/protected?foo=bar');
Ilya Tokarev <sysadm@cpan.org>
Copyright (C) 2013, Ilya Tokarev.
This program is free software, you can redistribute it and/or modify it under the terms of the Artistic License version 2.0.
Mojolicious, Mojolicious::Guides, http://mojolicio.us.
To install Mojolicious::Plugin::DeCSRF, copy and paste the appropriate command in to your terminal.
cpanm
cpanm Mojolicious::Plugin::DeCSRF
CPAN shell
perl -MCPAN -e shell install Mojolicious::Plugin::DeCSRF
For more information on module installation, please visit the detailed CPAN module installation guide.