Bird
Raised Fist0
Expressframework~5 mins

CSRF protection in Express - Cheat Sheet & Quick Revision

Choose your learning style10 modes available
LearnWhyDeepVisualTryChallengeProjectRecallPerf

Start learning this pattern below

Jump into concepts and practice - no test required

or
Recommended
Test this pattern10 questions across easy, medium, and hard to know if this pattern is strong
Recall & Review
beginner
What does CSRF stand for and what problem does it solve?
CSRF stands for Cross-Site Request Forgery. It stops attackers from tricking users into making unwanted actions on websites where they are logged in.
Click to reveal answer
beginner
How does a CSRF token help protect a web app?
A CSRF token is a secret value sent with forms or requests. The server checks this token to make sure the request is from the real user, not a fake source.
Click to reveal answer
intermediate
Which Express middleware is commonly used for CSRF protection?
The 'csurf' middleware is commonly used in Express apps to add CSRF protection by generating and validating tokens.
Click to reveal answer
intermediate
What must you do to use 'csurf' middleware correctly in Express?
You must use cookie-parser or session middleware first, then add 'csurf'. Also, include the CSRF token in your forms or AJAX requests for validation.
Click to reveal answer
intermediate
Why should CSRF tokens be unique per user session?
Unique tokens prevent attackers from guessing or reusing tokens. This ensures only the real user’s requests are accepted.
Click to reveal answer
What is the main purpose of CSRF protection in Express apps?
APrevent unauthorized commands from trusted users
BEncrypt user passwords
CImprove page load speed
DValidate email addresses
Which middleware must be used before 'csurf' in Express for it to work properly?
Abody-parser only
Bcookie-parser or session middleware
Chelmet
Dcors
How is the CSRF token usually sent back to the server in a form submission?
AAs a hidden form field
BIn the URL query string
CIn the HTTP headers only
DAs a cookie only
What happens if a request does not have a valid CSRF token when using 'csurf'?
AThe request is accepted anyway
BThe token is automatically generated
CThe server logs the request but processes it
DThe request is rejected with an error
Why is CSRF protection important even if you use HTTPS?
ABecause HTTPS blocks all cookies
BBecause HTTPS slows down the site
CBecause HTTPS only encrypts data, it does not stop forged requests
DBecause HTTPS disables JavaScript
Explain how CSRF tokens work in an Express app to protect user actions.
Think about how the server knows a request is genuine.
You got /4 concepts.
    Describe the steps to add CSRF protection using 'csurf' middleware in an Express application.
    Consider middleware order and token usage.
    You got /5 concepts.

      Practice

      (1/5)
      1. What is the main purpose of CSRF protection in an Express app?
      easy
      A. To prevent unauthorized commands from being sent from other websites
      B. To speed up the server response time
      C. To encrypt user passwords
      D. To log user activity on the server

      Solution

      1. Step 1: Understand CSRF meaning

        CSRF stands for Cross-Site Request Forgery, which tricks users into submitting unwanted actions.

      2. Step 2: Identify CSRF protection goal

        Protection stops other sites from sending commands on behalf of a user without permission.

      3. Final Answer:

        To prevent unauthorized commands from being sent from other websites -> Option A

      4. Quick Check:

        CSRF protection = prevent unauthorized commands [OK]
      Hint: CSRF stops fake requests from other sites [OK]
      Common Mistakes:
      • Confusing CSRF with password encryption
      • Thinking it speeds up server
      • Believing it logs user activity
      2. Which of the following is the correct way to add CSRF protection middleware in Express using the csurf package?
      easy
      A. app.use(csurf({ cookie: true }))
      B. app.use(csrf())
      C. app.use(csrfProtection())
      D. app.use(csrf({ session: false }))

      Solution

      1. Step 1: Recall csurf usage

        The csurf middleware is used as csurf({ cookie: true }) to enable cookie-based CSRF tokens.

      2. Step 2: Check options correctness

        Options B, C, and D use wrong function names or invalid options.

      3. Final Answer:

        app.use(csurf({ cookie: true })) -> Option A

      4. Quick Check:

        Correct csurf syntax = app.use(csurf({ cookie: true })) [OK]
      Hint: Use csurf with correct function and options [OK]
      Common Mistakes:
      • Using wrong function name like csrf()
      • Missing the cookie option
      • Passing invalid options
      3. Given this Express route using csurf middleware, what will happen if the CSRF token is missing or invalid?
      app.post('/submit', csurf({ cookie: true }), (req, res) => {
  res.send('Form submitted');
});
      medium
      A. The server redirects to the home page
      B. The server responds with 'Form submitted' anyway
      C. The server throws a 403 Forbidden error
      D. The server crashes with an uncaught exception

      Solution

      1. Step 1: Understand csurf error handling

        If the CSRF token is missing or invalid, csurf middleware triggers an error with status 403 Forbidden.

      2. Step 2: Check route behavior

        The route handler is not called; instead, Express sends a 403 error response.

      3. Final Answer:

        The server throws a 403 Forbidden error -> Option C

      4. Quick Check:

        Invalid CSRF token = 403 Forbidden error [OK]
      Hint: Missing token causes 403 error, not success [OK]
      Common Mistakes:
      • Assuming form submits anyway
      • Thinking server redirects automatically
      • Believing server crashes
      4. You added csurf middleware but your form keeps failing CSRF validation. Which of these is the most likely cause?
      medium
      A. You did not install the cookie-parser package
      B. You used app.use(express.json()) before csurf()
      C. You set cookie: false in csurf options
      D. You forgot to include the CSRF token in the form as a hidden input

      Solution

      1. Step 1: Check form token inclusion

        CSRF protection requires the token to be sent with the form, usually as a hidden input field.

      2. Step 2: Evaluate other options

        While cookie-parser is needed if using cookies, the most common cause is missing token in the form.

      3. Final Answer:

        You forgot to include the CSRF token in the form as a hidden input -> Option D

      4. Quick Check:

        Missing token in form = validation fails [OK]
      Hint: Always add CSRF token hidden input in forms [OK]
      Common Mistakes:
      • Ignoring token in form fields
      • Misordering middleware without reason
      • Assuming cookie-parser always required
      5. You want to protect an Express app using csurf with cookie-based tokens and render the token in a form. Which code snippet correctly sets up the middleware and passes the token to the template?
      hard
      A. app.use(csurf({ cookie: false })); app.get('/form', (req, res) => { res.render('form', { csrfToken: req.csrfToken() }); });
      B. app.use(csurf({ cookie: true })); app.get('/form', (req, res) => { res.render('form', { csrfToken: req.csrfToken() }); });
      C. app.use(csurf()); app.get('/form', (req, res) => { res.render('form', { csrfToken: req.csrfToken }); });
      D. app.use(csurf({ cookie: true })); app.get('/form', (req, res) => { res.render('form', { csrfToken: req.csrfToken }); });

      Solution

      1. Step 1: Setup csurf with cookie option

        Use csurf({ cookie: true }) to enable cookie-based CSRF tokens.

      2. Step 2: Call req.csrfToken() as a function

        To get the token string, call req.csrfToken(), not just reference the function.

      3. Step 3: Pass token to template

        Pass the token as csrfToken in the render call for the form to use.

      4. Final Answer:

        app.use(csurf({ cookie: true })); app.get('/form', (req, res) => { res.render('form', { csrfToken: req.csrfToken() }); }); -> Option B

      5. Quick Check:

        Correct csurf setup + token call = app.use(csurf({ cookie: true })); app.get('/form', (req, res) => { res.render('form', { csrfToken: req.csrfToken() }); }); [OK]
      Hint: Call req.csrfToken() and enable cookie option [OK]
      Common Mistakes:
      • Not calling req.csrfToken() as a function
      • Using cookie: false when cookies are needed
      • Passing function reference instead of token string