1
0
mirror of https://github.com/actix/actix-website synced 2025-01-23 16:44:36 +01:00
2018-07-21 04:09:47 -07:00

57 lines
8.2 KiB
HTML
Raw Blame History

This file contains ambiguous Unicode characters

This file contains Unicode characters that might be confused with other characters. If you think that this is intentional, you can safely ignore this warning. Use the Escape button to reveal them.

<!DOCTYPE html><html lang="en"><head><meta charset="utf-8"><meta name="viewport" content="width=device-width, initial-scale=1.0"><meta name="generator" content="rustdoc"><meta name="description" content="API documentation for the Rust `csrf` mod in crate `actix_web`."><meta name="keywords" content="rust, rustlang, rust-lang, csrf"><title>actix_web::middleware::csrf - Rust</title><link rel="stylesheet" type="text/css" href="../../../normalize.css"><link rel="stylesheet" type="text/css" href="../../../rustdoc.css" id="mainThemeStyle"><link rel="stylesheet" type="text/css" href="../../../dark.css"><link rel="stylesheet" type="text/css" href="../../../light.css" id="themeStyle"><script src="../../../storage.js"></script></head><body class="rustdoc mod"><!--[if lte IE 8]><div class="warning">This old browser is unsupported and will most likely display funky things.</div><![endif]--><nav class="sidebar"><div class="sidebar-menu">&#9776;</div><p class='location'>Module csrf</p><div class="sidebar-elems"><div class="block items"><ul><li><a href="#structs">Structs</a></li><li><a href="#enums">Enums</a></li></ul></div><p class='location'><a href='../../index.html'>actix_web</a>::<wbr><a href='../index.html'>middleware</a></p><script>window.sidebarCurrent = {name: 'csrf', ty: 'mod', relpath: '../'};</script><script defer src="../sidebar-items.js"></script></div></nav><div class="theme-picker"><button id="theme-picker" aria-label="Pick another theme!"><img src="../../../brush.svg" width="18" alt="Pick another theme!"></button><div id="theme-choices"></div></div><script src="../../../theme.js"></script><nav class="sub"><form class="search-form js-only"><div class="search-container"><input class="search-input" name="search" autocomplete="off" placeholder="Click or press S to search, ? for more options…" type="search"><a id="settings-menu" href="../../../settings.html"><img src="../../../wheel.svg" width="18" alt="Change settings"></a></div></form></nav><section id="main" class="content"><h1 class='fqn'><span class='in-band'>Module <a href='../../index.html'>actix_web</a>::<wbr><a href='../index.html'>middleware</a>::<wbr><a class="mod" href=''>csrf</a></span><span class='out-of-band'><span id='render-detail'><a id="toggle-all-docs" href="javascript:void(0)" title="collapse all docs">[<span class='inner'>&#x2212;</span>]</a></span><a class='srclink' href='../../../src/actix_web/middleware/csrf.rs.html#1-276' title='goto source code'>[src]</a></span></h1><div class='docblock'><p>A filter for cross-site request forgery (CSRF).</p>
<p>This middleware is stateless and <a href="https://www.owasp.org/index.php/Cross-Site_Request_Forgery_(CSRF)_Prevention_Cheat_Sheet#Verifying_Same_Origin_with_Standard_Headers">based on request
headers</a>.</p>
<p>By default requests are allowed only if one of these is true:</p>
<ul>
<li>The request method is safe (<code>GET</code>, <code>HEAD</code>, <code>OPTIONS</code>). It is the
applications responsibility to ensure these methods cannot be used to
execute unwanted actions. Note that upgrade requests for websockets are
also considered safe.</li>
<li>The <code>Origin</code> header (added automatically by the browser) matches one
of the allowed origins.</li>
<li>There is no <code>Origin</code> header but the <code>Referer</code> header matches one of
the allowed origins.</li>
</ul>
<p>Use <a href="struct.CsrfFilter.html#method.allow_xhr"><code>CsrfFilter::allow_xhr()</code></a>
if you want to allow requests with unprotected methods via
<a href="../cors/struct.Cors.html">CORS</a>.</p>
<h1 id="example" class="section-header"><a href="#example">Example</a></h1>
<pre class="rust rust-example-rendered">
<span class="kw">use</span> <span class="ident">actix_web</span>::<span class="ident">middleware</span>::<span class="ident">csrf</span>;
<span class="kw">use</span> <span class="ident">actix_web</span>::{<span class="ident">http</span>, <span class="ident">App</span>, <span class="ident">HttpRequest</span>, <span class="ident">HttpResponse</span>};
<span class="kw">fn</span> <span class="ident">handle_post</span>(<span class="kw">_</span>: <span class="kw-2">&amp;</span><span class="ident">HttpRequest</span>) <span class="op">-&gt;</span> <span class="kw-2">&amp;</span><span class="lifetime">&#39;static</span> <span class="ident">str</span> {
<span class="string">&quot;This action should only be triggered with requests from the same site&quot;</span>
}
<span class="kw">fn</span> <span class="ident">main</span>() {
<span class="kw">let</span> <span class="ident">app</span> <span class="op">=</span> <span class="ident">App</span>::<span class="ident">new</span>()
.<span class="ident">middleware</span>(
<span class="ident">csrf</span>::<span class="ident">CsrfFilter</span>::<span class="ident">new</span>().<span class="ident">allowed_origin</span>(<span class="string">&quot;https://www.example.com&quot;</span>),
)
.<span class="ident">resource</span>(<span class="string">&quot;/&quot;</span>, <span class="op">|</span><span class="ident">r</span><span class="op">|</span> {
<span class="ident">r</span>.<span class="ident">method</span>(<span class="ident">http</span>::<span class="ident">Method</span>::<span class="ident">GET</span>).<span class="ident">f</span>(<span class="op">|</span><span class="kw">_</span><span class="op">|</span> <span class="ident">HttpResponse</span>::<span class="prelude-val">Ok</span>());
<span class="ident">r</span>.<span class="ident">method</span>(<span class="ident">http</span>::<span class="ident">Method</span>::<span class="ident">POST</span>).<span class="ident">f</span>(<span class="ident">handle_post</span>);
})
.<span class="ident">finish</span>();
}</pre>
<p>In this example the entire application is protected from CSRF.</p>
</div><h2 id='structs' class='section-header'><a href="#structs">Structs</a></h2>
<table>
<tr class=' module-item'>
<td><a class="struct" href="struct.CsrfFilter.html"
title='struct actix_web::middleware::csrf::CsrfFilter'>CsrfFilter</a></td>
<td class='docblock-short'>
<p>A middleware that filters cross-site requests.</p>
</td>
</tr></table><h2 id='enums' class='section-header'><a href="#enums">Enums</a></h2>
<table>
<tr class=' module-item'>
<td><a class="enum" href="enum.CsrfError.html"
title='enum actix_web::middleware::csrf::CsrfError'>CsrfError</a></td>
<td class='docblock-short'>
<p>Potential cross-site request forgery detected.</p>
</td>
</tr></table></section><section id="search" class="content hidden"></section><section class="footer"></section><aside id="help" class="hidden"><div><h1 class="hidden">Help</h1><div class="shortcuts"><h2>Keyboard Shortcuts</h2><dl><dt><kbd>?</kbd></dt><dd>Show this help dialog</dd><dt><kbd>S</kbd></dt><dd>Focus the search field</dd><dt><kbd></kbd></dt><dd>Move up in search results</dd><dt><kbd></kbd></dt><dd>Move down in search results</dd><dt><kbd></kbd></dt><dd>Switch tab</dd><dt><kbd>&#9166;</kbd></dt><dd>Go to active search result</dd><dt><kbd>+</kbd></dt><dd>Expand all sections</dd><dt><kbd>-</kbd></dt><dd>Collapse all sections</dd></dl></div><div class="infos"><h2>Search Tricks</h2><p>Prefix searches with a type followed by a colon (e.g. <code>fn:</code>) to restrict the search to a given type.</p><p>Accepted types are: <code>fn</code>, <code>mod</code>, <code>struct</code>, <code>enum</code>, <code>trait</code>, <code>type</code>, <code>macro</code>, and <code>const</code>.</p><p>Search functions by type signature (e.g. <code>vec -> usize</code> or <code>* -> vec</code>)</p><p>Search multiple things at once by splitting your query with comma (e.g. <code>str,u8</code> or <code>String,struct:Vec,test</code>)</p></div></div></aside><script>window.rootPath = "../../../";window.currentCrate = "actix_web";</script><script src="../../../aliases.js"></script><script src="../../../main.js"></script><script defer src="../../../search-index.js"></script></body></html>