我试图用csurf和csrf令牌保护我的节点js web应用程序 . 这里和网上都有很多例子,但不能让它们起作用 .

这是我的app.js

var express = require('express');
var cookieParser = require('cookie-parser');
var csrf = require('csurf');
var bodyParser = require('body-parser');

var app = express();
// view engine setup
app.set('views', path.join(__dirname, 'views'));
app.set('view engine', 'pug');
app.use(bodyParser.json());

app.use(bodyParser.urlencoded({ extended: false }));
app.use(cookieParser());


var csp = require('helmet-csp')    
app.use(csp({
    directives: {
        defaultSrc: ["'self'"],
        styleSrc: ["'self'", 'maxcdn.bootstrapcdn.com']
    }
}))

app.use(session({
    secret: 'xxxx',
    cookie: {
        httpOnly: true,
        secure: true
    },
    key: 'sid',
    resave: false,
    saveUninitialized: false,
    store: new RedisStore({ client: client }),
    ttl: 86400 //24 hour session expiry. Expressed in seconds
}));


app.use(csrf()); 
//To ensure all rendered views have the crsf token available
app.use(function (req, res, next) {
    res.locals._csrf = req.csrfToken();
    next();
});

这是渲染的哈巴狗页面的表格部分;

form(action='/getTokenManual', method='post')          
      fieldset
        input(type='hidden', name='_csrf', value=_csrf)
        p
          input#password(type='password', name='code', placeholder='Enter user code here')
        p
          input(type='submit', value='Sign In')

任何帮助将不胜感激 . 这个例子是我试图复制的; http://scottksmith.com/blog/2014/09/04/simple-steps-to-secure-your-express-node-application/