Skip to content
/ csrf-cookie-token-generator Public

HTTP server written in rust that generates CSRF token on request and stores it in cookie

5 stars 0 forks Branches Tags Activity
Star
Notifications You must be signed in to change notification settings

EcomDev/csrf-cookie-token-generator

BranchesTags

Folders and files

NameName
Last commit message
Last commit date

Latest commit

 

History

26 Commits
ci
ci
 
 
src
src
 
 
.gitignore
.gitignore
 
 
.travis.yml
.travis.yml
 
 
Cargo.lock
Cargo.lock
 
 
Cargo.toml
Cargo.toml
 
 
README.md
README.md
 
 

Repository files navigation

CSRF Token Generator HTTP Server

Usually generation of tokens for preventing CSRF attacks can be resource expensive as you have to initialize a whole application and store unique token in session storage between the requests.

This HTTP server comes to tackle this issue by introducing cookie only based CSRF token. In response to HTTP request, server returns two cookies (cookie names are configurable): token and checksum. Token cookie is readable by JavaScript, buck checksum cookie is HTTP only cookie to be accessed by your backend application to verify the cookie signature. This checksum is using secret key that you specify as a command argument for a server that it is not exposed to an outside world.

Installation

During release of new version of the HTTP server a new binary for major *nix like OS are compiled and can be found here. You can also compile it from sources on a platform of your choice by using cargo build command.

After you downloaded or compiled a binary, you can run a tool with such options:

USAGE:
    csrf-cookie-token [OPTIONS] <checksum-secret>

FLAGS:
    -h, --help       Prints help information
    -V, --version    Prints version information

OPTIONS:
    -c, --checksum-cookie <checksum-cookie-name>     [default: varnish_token_checksum]
    -d, --cookie-domain <cookie-domain>              [default: ]
    -p, --server-port <port>                         [default: 9999]
    -t, --token-cookie <token-cookie-name>           [default: varnish_token]

ARGS:
    <checksum-secret>

After you've setup a server to run in the background, you can simply proxy calls for token generation by the url of your choice using this simple Nginx rule:

location /generate-csrf-token {
   proxy_pass http://127.0.0.1:9999;
   proxy_set_header Host $http_host;
}

The server always binds to 127.0.0.1 so you cannot access it without some kind of proxying.

Verifying the generated token

In order to implement the CSRF token verification you need to create first a JSON string with such data:

{"salt":"[your_secret_key]","token":"[csrf_token_send_by_user]"}

Then you just hash whole string with md5 (yeah, I know it is not the strongest one, but for a short lived checksum is more than enough). Make sure JSON string is not pretty printed and does not have any whitespaces.

After you verified the token in you application, you MUST regenerate a token and checksum and set appropriate cookies yourself, to make sure if key is leaked by any other means it cannot be re-used.

About

HTTP server written in rust that generates CSRF token on request and stores it in cookie

Resources

Readme
Activity
Custom properties

Stars

5 stars

Watchers

2 watching

Forks

0 forks
Report repository

Releases 3

0.2.0: Modifications: Latest
Oct 28, 2019
+ 2 releases

Packages

No packages published

Languages