NAME

Mojolicious::Plugin::CSRFProtect - Fully protects you from CSRF attacks

SYNOPSIS

# Mojolicious
$self->plugin('CSRFProtect');

# Mojolicious::Lite
plugin 'CSRFProtect';

# Use "form_for" helper and all your html forms will have CSRF protection token

<%= form_for login => (method => 'post') => begin %>
       <%= text_field 'first_name' %>
       <%= submit_button %>
<% end %>

# Place jquery_ajax_csrf_protection helper to your layout template
# and all non GET/HEAD/OPTIONS  AJAX requests will have CSRF protection token (requires JQuery)

<%= jquery_ajax_csrf_protection %>

# Custom error handling
$self->plugin('CSRFProtect', on_error => sub {
    my $c = shift;
    # Do whatever you want here
    # ...
});

DESCRIPTION

Mojolicious::Plugin::CSRFProtect is a Mojolicious plugin which fully protects you from CSRF attacks.

It does following things:

1. Adds a hidden input (with name 'csrftoken') with CSRF protection token to every form (works only if you use form_for helper from Mojolicious::Plugin::TagHelpers.)

2. Adds the header "X-CSRF-Token" with CSRF token to every AJAX request (works with JQuery only)

3. Rejects all non GET/HEAD/OPTIONS requests without the correct CSRF protection token.

If you want protect your GET/HEAD/OPTIONS requests then you can do it manually

In template: <a href="/delete_user/123/?csrftoken=<%= csrftoken %>">

In controller: $self->is_valid_csrftoken()

CONFIG

`on_error`

You can pass custom error handling callback. For example

$self->plugin('CSRFProtect', on_error => sub {
    my $c = shift;
    $c->render(template => 'error_403', status => 403 );
});

HELPERS

`form_for`

This helper overrides the form_for helper from Mojolicious::Plugin::TagHelpers

and adds hidden input with CSRF protection token.

`jquery_ajax_csrf_protection`

This helper adds CSRF protection headers to all JQuery AJAX requests.

You should add <%= jquery_ajax_csrf_protection %> in head of your HTML page.

`csrftoken`

returns CSRF Protection token.

In templates <%= csrftoken %>

In controller $self->csrftoken;

`is_valid_csrftoken`

With this helper you can check $csrftoken manually. It will take $csrftoken from $c->param('csrftoken');

$self->is_valid_csrftoken() will return 1 or 0

AUTHOR

Viktor Turskyi <koorchik@cpan.org>

BUGS

Please report any bugs or feature requests to bug-mojolicious-plugin-csrfprotect at rt.cpan.org, or through the web interface at http://rt.cpan.org/NoAuth/ReportBug.html?Queue=Mojolicious-Plugin-CSRFProtect. I will be notified, and then you'll automatically be notified of progress on your bug as I make changes.

Also you can report bugs to Github https://github.com/koorchik/Mojolicious-Plugin-CSRFProtect/

LICENSE AND COPYRIGHT

This program is free software; you can redistribute it and/or modify it under the terms of either: the GNU General Public License as published by the Free Software Foundation; or the Artistic License.

See http://dev.perl.org/licenses/ for more information.

To install Mojolicious::Plugin::CSRFProtect, copy and paste the appropriate command in to your terminal.

cpanm

cpanm Mojolicious::Plugin::CSRFProtect

CPAN shell

perl -MCPAN -e shell
install Mojolicious::Plugin::CSRFProtect

For more information on module installation, please visit the detailed CPAN module installation guide.

	Global
`s`	Focus search bar
`?`	Bring up this help dialog

	GitHub
`g` `p`	Go to pull requests
`g` `i`	go to github issues (only if github is preferred repository)

	POD
`g` `a`	Go to author
`g` `c`	Go to changes
`g` `i`	Go to issues
`g` `d`	Go to dist
`g` `r`	Go to repository/SCM
`g` `s`	Go to source
`g` `b`	Go to file browse

	Search terms
module: (e.g. module:Plugin)
distribution: (e.g. distribution:Dancer auth)
author: (e.g. author:SONGMU Redis)
version: (e.g. version:1.00)

NAME

SYNOPSIS

DESCRIPTION

CONFIG

on_error

HELPERS

form_for

jquery_ajax_csrf_protection

csrftoken

is_valid_csrftoken