NAME

Mojolicious::Plugin::DeCSRF - Defend from CSRF attacks centrally.

SYNOPSIS

# Mojolicious::Lite
#!/usr/bin/env perl

use Mojolicious::Lite;

plugin 'DeCSRF' => {
  on_mismatch => sub {
    shift->render(template => '503', status => 503);
  },
  token_length => 8,
  token_name => 'csrf',
  urls => qw~/protected~
};

get '/' => sub {
  my $self = shift;
} => 'index';

get '/protected' => sub {
  my $self = shift;
} => 'protected';

app->start();

__DATA__
@@ layouts/default.html.ep
<html>
  <body><%= content %></body>
</html>
@@ protected.html.ep
% layout 'default';
<a href="<%= decsrf->url('index') %>">Home</a>
@@ index.html.ep
% layout 'default';
<a href="<%= decsrf->url('protected') %>">Protected</a>
@@ 503.html.ep
Service error!

DESCRIPTION

Mojolicious::Plugin::DeCSRF is a Mojolicious plugin that defend the framework from CSRF attacks centrally. With "good" strategy you have flexible control of the urls. "Good" strategy is wrap all of the urls with decsrf->url(URL) and control all urls that must be protected at one place with decsrf->urls().

OPTIONS

Options can change at any time.

`decsrf->on_mismatch`

Set custom mismatch handling callback. Default is $self->render( text => "Forbidden!", status => 403);

decsrf->on_mismatch( sub {
  shift->render(template => '503', status => 503);
} );

`decsrf->token_length`

Set custom token length. Default length is 4 symbols from 'A-Z', 'a-z', '0-9', '@', '$', '-', '_' ranges.

decsrf->token_length(40);

`decsrf->token_name`

Set custom token name in url and session parameters. Default name is 'token'.

decsrf->token_name('csrf');

`decsrf->urls`

Set urls that must be protected. perlre can used.

decsrf->urls([qw~/protected /.*?ected~]);
push @{decsrf->urls}, qw~/protected /.*?ected~;

METHODS

Mojolicious::Plugin::DeCSRF inherits all methods from Mojolicious::Plugin and implements the following new ones.

`register`

$plugin->register();

`decsrf->url`

Add 'token' param to url that match with decsrf->urls.

#/protected?token=XXXX
decsrf->url('/protected');

#/protected?foo=bar&token=XXXX
decsrf->url('/protected?foo=bar');

AUTHOR

Ilya Tokarev <sysadm@cpan.org>

COPYRIGHT AND LICENSE

This program is free software, you can redistribute it and/or modify it under the terms of the Artistic License version 2.0.

	Global
`s`	Focus search bar
`?`	Bring up this help dialog

	GitHub
`g` `p`	Go to pull requests
`g` `i`	go to github issues (only if github is preferred repository)

	POD
`g` `a`	Go to author
`g` `c`	Go to changes
`g` `i`	Go to issues
`g` `d`	Go to dist
`g` `r`	Go to repository/SCM
`g` `s`	Go to source
`g` `b`	Go to file browse

	Search terms
module: (e.g. module:Plugin)
distribution: (e.g. distribution:Dancer auth)
author: (e.g. author:SONGMU Redis)
version: (e.g. version:1.00)

NAME

SYNOPSIS

DESCRIPTION

OPTIONS

decsrf->on_mismatch

decsrf->token_length

decsrf->token_name

decsrf->urls

METHODS

register

decsrf->url