sails.config.csrf
Configuration for Sails' built-in CSRF protection middleware. These options are conventionally set in the config/csrf.js configuration file. See the docs on Cross-Site Request Forgery in the security section for detailed usage instructions.
This option protects your Sails app against cross-site request forgery (or CSRF) attacks. A would-be attacker needs not only a user's session cookie, but also this timestamped, secret CSRF token, which is refreshed/granted when the user visits a URL on your app's domain.
This allows you to have certainty that your users' requests haven't been hijacked, and that the requests they're making are intentional and legitimate.
Properties
| Property | Type | Default | Details |
|---|---|---|---|
csrf |
false | CSRF protection is disabled by default to facilitate development. To turn it on, just set sails.config.csrf to true, or for more flexibility, specify a dictionary with any of the properties described below. |
|
csrf.grantTokenViaAjax |
true | Whether to activate the /csrfToken route, which will return the current CSRF token value which can then be used in AJAX requests. | |
csrf.origin |
'' | Comma-delimited list of origins that are allowed to access the CSRF token via the /csrfToken shadow route. This is separate from the other CORS settings, which do not apply to the /csrfToken route. | |
csrf.routesDisabled |
'' | Array or comma-delimited list of routes where CSRF protection is disabled. Routes with Express-style wildcards (e.g. '/foo/:id') and regular expressions (e.g. /user\/\d+/) can both be used. Do not include HTTP verbs (e.g. POST or PUT) with the routes -- disabling CSRF for a route always applies to all verbs for that route's address. |
For a better experience on sailsjs.com, update your browser.
Reference
- Application
- Blueprint API
- Command Line Interface
-
Configuration
- sails.config.*
- sails.config.blueprints
- sails.config.bootstrap()
- sails.config.connections
- sails.config.cors
- sails.config.csrf
- sails.config.globals
- sails.config.http
- sails.config.i18n
- sails.config.log
- sails.config.models
- sails.config.policies
- sails.config.routes
- sails.config.session
- sails.config.sockets
- sails.config.views
-
Request (`req`)
- req.accepted
- req.acceptedCharsets
- req.acceptedLanguages
- req.body
- req.cookies
- req.fresh
- req.headers
- req.host
- req.ip
- req.ips
- req.isSocket
- req.method
- req.options
- req.originalUrl
- req.params
- req.path
- req.protocol
- req.query
- req.secure
- req.signedCookies
- req.socket
- req.subdomains
- req.url
- req.wantsJSON
- req.xhr
- req.accepts()
- req.acceptsCharset()
- req.acceptsLanguage()
- req.allParams()
- req.file()
- req.get()
- req.is()
- req.param()
- Response (`res`)
- Waterline (ORM)
- WebSockets
Built with Love
The Sails framework is maintained by a web & mobile studio in Austin, TX, with the help of our contributors. We created Sails in 2012 to assist us on Node.js projects. Naturally we open-sourced it. We hope it makes your life a little bit easier!
© 2012-2018 The Sails Company.
The Sails framework is free and open-source under the MIT License.