Concept Flow - CSRF protection
Client sends request
Server checks CSRF token
Process
Send response
The server checks if the CSRF token sent by the client matches the expected token before processing the request.
0
0
CSRF protection in Express - Step-by-Step Execution
Execution Sample
Express
const cookieParser = require('cookie-parser'); const csrf = require('csurf'); const express = require('express'); const app = express(); app.use(cookieParser()); app.use(express.urlencoded({ extended: false })); app.use(csrf({ cookie: true })); app.get('/form', (req, res) => { res.send(`<form method="POST" action="/form"> <input type="hidden" name="_csrf" value="${req.csrfToken()}"> <button type="submit">Submit</button> </form>`); }); app.post('/form', (req, res) => { res.send('Form submitted'); });
This code adds CSRF protection middleware to an Express app and handles a POST form submission.
Execution Table
| Step | Request Type | CSRF Token Present | Token Valid? | Action | Response |
|---|---|---|---|---|---|
| 1 | GET /form | No (token generated) | N/A | Generate token and send form | Form with CSRF token |
| 2 | POST /form | Yes (token sent) | Yes | Process form data | Form submitted |
| 3 | POST /form | Yes (token sent) | No | Reject request | 403 Forbidden |
| 4 | POST /form | No token | No | Reject request | 403 Forbidden |
💡 Requests without a valid CSRF token are rejected to prevent CSRF attacks.
Variable Tracker
| Variable | Start | After Step 1 | After Step 2 | After Step 3 | After Step 4 |
|---|---|---|---|---|---|
| csrfToken | undefined | generated token string | token string from client | token string from client | undefined |
Key Moments - 2 Insights
Why does the server reject a POST request without a CSRF token?
Because the CSRF middleware requires a valid token to confirm the request is from the trusted client, as shown in execution_table rows 3 and 4.
When is the CSRF token generated and sent to the client?
During a safe GET request, the server generates and sends the token embedded in the form, as shown in execution_table row 1.
Visual Quiz - 3 Questions
Test your understanding
Look at the execution table, what happens at step 2 when the token is valid?
💡 Hint
Refer to execution_table row 2 under 'Action' and 'Response'
At which step does the server generate the CSRF token?
💡 Hint
Check execution_table row 1 where the token is generated and sent
If the client sends a POST request without any CSRF token, what response will the server give?
💡 Hint
See execution_table row 4 where no token causes rejection
Concept Snapshot
CSRF protection in Express: - Use csurf middleware to add CSRF tokens - Server generates token on safe requests (GET) - Client sends token with unsafe requests (POST) - Server validates token before processing - Reject requests with missing or invalid tokens - Prevents unauthorized cross-site requests
Full Transcript
CSRF protection in Express works by generating a unique token for each user session during safe requests like GET. This token is sent to the client embedded in forms. When the client submits a form with a POST request, it must include this token. The server checks the token's validity before processing the request. If the token is missing or invalid, the server rejects the request with a 403 Forbidden error. This process prevents attackers from tricking users into submitting unwanted requests from other sites. The csurf middleware handles token generation and validation automatically. The flow starts with the client requesting a form, the server generating and sending a token, then the client submitting the form with the token, and the server validating it before accepting the data.