plug v0.10.0 → Overview → Plug → CSRFProtection

Plug.CSRFProtection

Summary
Functions

Plug to protect from cross-site request forgery.

This plug stores the CSRF token in a cookie during HEAD and GET requests and compare the value of the cookie with the token given as parameter or as part the request header as “x-csrf-token” during POST/PUT/etc requests. If the token is invalid, InvalidCSRFTokenError` is raised.

Javascript GET requests are only allowed if they are XHR requests. Otherwise, an InvalidCrossOriginRequestError error will be raised.

You may disable this plug in certain occasions, usually during tests, by doing:

Plug.Conn.put_private(:plug_skip_csrf_protection, true)

Options

:name - the name of the cookie, defaults to “_csrf_token”
:domain - the domain of the csrf cookie
:path - the path the cookie applies to
:http_only - if the cookie should be http only (by default is false)

Examples

plug :fetch_cookies
plug :fetch_params
plug Plug.CSRFProtection

Summary
↑

call(conn, opts)	Callback implementation of `Plug.call/2`
init(opts)	Callback implementation of `Plug.init/1`

Functions

call(conn, opts)

(function) # ↑

Callback implementation of Plug.call/2.

init(opts)