Express.js adapter for CSRF Armor - Advanced CSRF protection for Express.js applications.
npm install @csrf-armor/express
# or
yarn add @csrf-armor/express
# or
pnpm add @csrf-armor/expressimport express from 'express';
import { csrfMiddleware } from '@csrf-armor/express';
const app = express();
// Create the CSRF middleware
const csrfProtect = csrfMiddleware({
// Optional configuration
excludePaths: ['/webhook'], // Paths to exclude from CSRF protection
strategy: 'signed-double-submit', // CSRF protection strategy
secret: 'your-secret-key', // Required for signed strategies
cookie: {
name: 'csrf-token',
options: {
httpOnly: true,
secure: true,
sameSite: 'strict'
}
}
});
// Apply the middleware to protected routes
app.use('/api', csrfProtect);
// Your routes here
app.post('/api/data', (req, res) => {
res.json({ success: true });
});The middleware accepts all configuration options from @csrf-armor/core. See the core documentation for detailed configuration options.
csrfMiddleware({
strategy: 'signed-double-submit', // Security strategy
secret: process.env.CSRF_SECRET, // Required for signed strategies
token: {
expiry: 3600, // Token lifetime (seconds)
reissueThreshold: 500, // Auto-renewal threshold (seconds)
headerName: 'X-CSRF-Token', // Header name
fieldName: 'csrf_token' // Form field name
},
cookie: {
name: 'csrf-token', // Cookie name
secure: true, // HTTPS only
httpOnly: false, // Allow client access
sameSite: 'strict' // CSRF protection
},
excludePaths: ['/api/public'], // Skip protection
allowedOrigins: ['https://yourdomain.com'] // Origin allowlist
})MIT © Muneeb Samuels
- @csrf-armor/core - Framework-agnostic CSRF protection
Questions? Open an issue or start a discussion!