[][src]Module actix_web::middleware::csrf

A filter for cross-site request forgery (CSRF).

This middleware is stateless and based on request headers.

By default requests are allowed only if one of these is true:

Use CsrfFilter::allow_xhr() if you want to allow requests with unprotected methods via CORS.

Example

use actix_web::middleware::csrf;
use actix_web::{http, App, HttpRequest, HttpResponse};

fn handle_post(_: &HttpRequest) -> &'static str {
    "This action should only be triggered with requests from the same site"
}

fn main() {
    let app = App::new()
        .middleware(
            csrf::CsrfFilter::new().allowed_origin("https://www.example.com"),
        )
        .resource("/", |r| {
            r.method(http::Method::GET).f(|_| HttpResponse::Ok());
            r.method(http::Method::POST).f(handle_post);
        })
        .finish();
}

In this example the entire application is protected from CSRF.

Structs

CsrfFilter

A middleware that filters cross-site requests.

Enums

CsrfError

Potential cross-site request forgery detected.