我试图用csurf和csrf令牌保护我的节点js web应用程序 . 这里和网上都有很多例子,但不能让它们起作用 .
这是我的app.js
var express = require('express');
var cookieParser = require('cookie-parser');
var csrf = require('csurf');
var bodyParser = require('body-parser');
var app = express();
// view engine setup
app.set('views', path.join(__dirname, 'views'));
app.set('view engine', 'pug');
app.use(bodyParser.json());
app.use(bodyParser.urlencoded({ extended: false }));
app.use(cookieParser());
var csp = require('helmet-csp')
app.use(csp({
directives: {
defaultSrc: ["'self'"],
styleSrc: ["'self'", 'maxcdn.bootstrapcdn.com']
}
}))
app.use(session({
secret: 'xxxx',
cookie: {
httpOnly: true,
secure: true
},
key: 'sid',
resave: false,
saveUninitialized: false,
store: new RedisStore({ client: client }),
ttl: 86400 //24 hour session expiry. Expressed in seconds
}));
app.use(csrf());
//To ensure all rendered views have the crsf token available
app.use(function (req, res, next) {
res.locals._csrf = req.csrfToken();
next();
});
这是渲染的哈巴狗页面的表格部分;
form(action='/getTokenManual', method='post')
fieldset
input(type='hidden', name='_csrf', value=_csrf)
p
input#password(type='password', name='code', placeholder='Enter user code here')
p
input(type='submit', value='Sign In')
任何帮助将不胜感激 . 这个例子是我试图复制的; http://scottksmith.com/blog/2014/09/04/simple-steps-to-secure-your-express-node-application/