mirror of
https://github.com/actix/actix-website
synced 2024-12-04 20:51:54 +01:00
57 lines
8.2 KiB
HTML
57 lines
8.2 KiB
HTML
|
<!DOCTYPE html><html lang="en"><head><meta charset="utf-8"><meta name="viewport" content="width=device-width, initial-scale=1.0"><meta name="generator" content="rustdoc"><meta name="description" content="API documentation for the Rust `csrf` mod in crate `actix_web`."><meta name="keywords" content="rust, rustlang, rust-lang, csrf"><title>actix_web::middleware::csrf - Rust</title><link rel="stylesheet" type="text/css" href="../../../normalize.css"><link rel="stylesheet" type="text/css" href="../../../rustdoc.css" id="mainThemeStyle"><link rel="stylesheet" type="text/css" href="../../../dark.css"><link rel="stylesheet" type="text/css" href="../../../light.css" id="themeStyle"><script src="../../../storage.js"></script></head><body class="rustdoc mod"><!--[if lte IE 8]><div class="warning">This old browser is unsupported and will most likely display funky things.</div><![endif]--><nav class="sidebar"><div class="sidebar-menu">☰</div><p class='location'>Module csrf</p><div class="sidebar-elems"><div class="block items"><ul><li><a href="#structs">Structs</a></li><li><a href="#enums">Enums</a></li></ul></div><p class='location'><a href='../../index.html'>actix_web</a>::<wbr><a href='../index.html'>middleware</a></p><script>window.sidebarCurrent = {name: 'csrf', ty: 'mod', relpath: '../'};</script><script defer src="../sidebar-items.js"></script></div></nav><div class="theme-picker"><button id="theme-picker" aria-label="Pick another theme!"><img src="../../../brush.svg" width="18" alt="Pick another theme!"></button><div id="theme-choices"></div></div><script src="../../../theme.js"></script><nav class="sub"><form class="search-form js-only"><div class="search-container"><input class="search-input" name="search" autocomplete="off" placeholder="Click or press ‘S’ to search, ‘?’ for more options…" type="search"><a id="settings-menu" href="../../../settings.html"><img src="../../../wheel.svg" width="18" alt="Change settings"></a></div></form></nav><section id="main" class="content"><h1 class='fqn'><span class='out-of-band'><span id='render-detail'><a id="toggle-all-docs" href="javascript:void(0)" title="collapse all docs">[<span class='inner'>−</span>]</a></span><a class='srclink' href='../../../src/actix_web/middleware/csrf.rs.html#1-275' title='goto source code'>[src]</a></span><span class='in-band'>Module <a href='../../index.html'>actix_web</a>::<wbr><a href='../index.html'>middleware</a>::<wbr><a class="mod" href=''>csrf</a></span></h1><div class='docblock'><p>A filter for cross-site request forgery (CSRF).</p>
|
|||
|
<p>This middleware is stateless and <a href="https://www.owasp.org/index.php/Cross-Site_Request_Forgery_(CSRF)_Prevention_Cheat_Sheet#Verifying_Same_Origin_with_Standard_Headers">based on request
|
|||
|
headers</a>.</p>
|
|||
|
<p>By default requests are allowed only if one of these is true:</p>
|
|||
|
<ul>
|
|||
|
<li>The request method is safe (<code>GET</code>, <code>HEAD</code>, <code>OPTIONS</code>). It is the
|
|||
|
applications responsibility to ensure these methods cannot be used to
|
|||
|
execute unwanted actions. Note that upgrade requests for websockets are
|
|||
|
also considered safe.</li>
|
|||
|
<li>The <code>Origin</code> header (added automatically by the browser) matches one
|
|||
|
of the allowed origins.</li>
|
|||
|
<li>There is no <code>Origin</code> header but the <code>Referer</code> header matches one of
|
|||
|
the allowed origins.</li>
|
|||
|
</ul>
|
|||
|
<p>Use <a href="struct.CsrfFilter.html#method.allow_xhr"><code>CsrfFilter::allow_xhr()</code></a>
|
|||
|
if you want to allow requests with unprotected methods via
|
|||
|
<a href="../cors/struct.Cors.html">CORS</a>.</p>
|
|||
|
<h1 id="example" class="section-header"><a href="#example">Example</a></h1>
|
|||
|
<pre class="rust rust-example-rendered">
|
|||
|
<span class="kw">use</span> <span class="ident">actix_web</span>::<span class="ident">middleware</span>::<span class="ident">csrf</span>;
|
|||
|
<span class="kw">use</span> <span class="ident">actix_web</span>::{<span class="ident">http</span>, <span class="ident">App</span>, <span class="ident">HttpRequest</span>, <span class="ident">HttpResponse</span>};
|
|||
|
|
|||
|
<span class="kw">fn</span> <span class="ident">handle_post</span>(<span class="kw">_</span>: <span class="kw-2">&</span><span class="ident">HttpRequest</span>) <span class="op">-></span> <span class="kw-2">&</span><span class="lifetime">'static</span> <span class="ident">str</span> {
|
|||
|
<span class="string">"This action should only be triggered with requests from the same site"</span>
|
|||
|
}
|
|||
|
|
|||
|
<span class="kw">fn</span> <span class="ident">main</span>() {
|
|||
|
<span class="kw">let</span> <span class="ident">app</span> <span class="op">=</span> <span class="ident">App</span>::<span class="ident">new</span>()
|
|||
|
.<span class="ident">middleware</span>(
|
|||
|
<span class="ident">csrf</span>::<span class="ident">CsrfFilter</span>::<span class="ident">new</span>().<span class="ident">allowed_origin</span>(<span class="string">"https://www.example.com"</span>),
|
|||
|
)
|
|||
|
.<span class="ident">resource</span>(<span class="string">"/"</span>, <span class="op">|</span><span class="ident">r</span><span class="op">|</span> {
|
|||
|
<span class="ident">r</span>.<span class="ident">method</span>(<span class="ident">http</span>::<span class="ident">Method</span>::<span class="ident">GET</span>).<span class="ident">f</span>(<span class="op">|</span><span class="kw">_</span><span class="op">|</span> <span class="ident">HttpResponse</span>::<span class="prelude-val">Ok</span>());
|
|||
|
<span class="ident">r</span>.<span class="ident">method</span>(<span class="ident">http</span>::<span class="ident">Method</span>::<span class="ident">POST</span>).<span class="ident">f</span>(<span class="ident">handle_post</span>);
|
|||
|
})
|
|||
|
.<span class="ident">finish</span>();
|
|||
|
}</pre>
|
|||
|
<p>In this example the entire application is protected from CSRF.</p>
|
|||
|
</div><h2 id='structs' class='section-header'><a href="#structs">Structs</a></h2>
|
|||
|
<table>
|
|||
|
<tr class=' module-item'>
|
|||
|
<td><a class="struct" href="struct.CsrfFilter.html"
|
|||
|
title='struct actix_web::middleware::csrf::CsrfFilter'>CsrfFilter</a></td>
|
|||
|
<td class='docblock-short'>
|
|||
|
<p>A middleware that filters cross-site requests.</p>
|
|||
|
|
|||
|
</td>
|
|||
|
</tr></table><h2 id='enums' class='section-header'><a href="#enums">Enums</a></h2>
|
|||
|
<table>
|
|||
|
<tr class=' module-item'>
|
|||
|
<td><a class="enum" href="enum.CsrfError.html"
|
|||
|
title='enum actix_web::middleware::csrf::CsrfError'>CsrfError</a></td>
|
|||
|
<td class='docblock-short'>
|
|||
|
<p>Potential cross-site request forgery detected.</p>
|
|||
|
|
|||
|
</td>
|
|||
|
</tr></table></section><section id="search" class="content hidden"></section><section class="footer"></section><aside id="help" class="hidden"><div><h1 class="hidden">Help</h1><div class="shortcuts"><h2>Keyboard Shortcuts</h2><dl><dt><kbd>?</kbd></dt><dd>Show this help dialog</dd><dt><kbd>S</kbd></dt><dd>Focus the search field</dd><dt><kbd>↑</kbd></dt><dd>Move up in search results</dd><dt><kbd>↓</kbd></dt><dd>Move down in search results</dd><dt><kbd>↹</kbd></dt><dd>Switch tab</dd><dt><kbd>⏎</kbd></dt><dd>Go to active search result</dd><dt><kbd>+</kbd></dt><dd>Expand all sections</dd><dt><kbd>-</kbd></dt><dd>Collapse all sections</dd></dl></div><div class="infos"><h2>Search Tricks</h2><p>Prefix searches with a type followed by a colon (e.g. <code>fn:</code>) to restrict the search to a given type.</p><p>Accepted types are: <code>fn</code>, <code>mod</code>, <code>struct</code>, <code>enum</code>, <code>trait</code>, <code>type</code>, <code>macro</code>, and <code>const</code>.</p><p>Search functions by type signature (e.g. <code>vec -> usize</code> or <code>* -> vec</code>)</p><p>Search multiple things at once by splitting your query with comma (e.g. <code>str,u8</code> or <code>String,struct:Vec,test</code>)</p></div></div></aside><script>window.rootPath = "../../../";window.currentCrate = "actix_web";</script><script src="../../../aliases.js"></script><script src="../../../main.js"></script><script defer src="../../../search-index.js"></script></body></html>
|