gorilla/csrf provides Cross Site Request Forgery (CSRF) prevention middleware for Go web applications & services 🔒

gorilla/csrf

GoDoc Sourcegraph Reviewed by Hound CircleCI

gorilla/csrf is a HTTP middleware library that provides cross-site request forgery (CSRF) protection. It includes:

  • The csrf.Protect middleware/handler provides CSRF protection on routes attached to a router or a sub-router.
  • A csrf.Token function that provides the token to pass into your response, whether that be a HTML form or a JSON response body.
  • ... and a csrf.TemplateField helper that you can pass into your html/template templates to replace a {{ .csrfField }} template tag with a hidden input field.

gorilla/csrf is designed to work with any Go web framework, including:

gorilla/csrf is also compatible with middleware 'helper' libraries like Alice and Negroni.

Contents

Install

With a properly configured Go toolchain:

go get github.com/gorilla/csrf

Examples

gorilla/csrf is easy to use: add the middleware to your router with the below:

CSRF := csrf.Protect([]byte("32-byte-long-auth-key"))
http.ListenAndServe(":8000", CSRF(r))

...and then collect the token with csrf.Token(r) in your handlers before passing it to the template, JSON body or HTTP header (see below).

Note that the authentication key passed to csrf.Protect([]byte(key)) should be 32-bytes long and persist across application restarts. Generating a random key won't allow you to authenticate existing cookies and will break your CSRF validation.

gorilla/csrf inspects the HTTP headers (first) and form body (second) on subsequent POST/PUT/PATCH/DELETE/etc. requests for the token.

HTML Forms

Here's the common use-case: HTML forms you want to provide CSRF protection for, in order to protect malicious POST requests being made:

package main

import (
    "net/http"

    "github.com/gorilla/csrf"
    "github.com/gorilla/mux"
)

func main() {
    r := mux.NewRouter()
    r.HandleFunc("/signup", ShowSignupForm)
    // All POST requests without a valid token will return HTTP 403 Forbidden.
    // We should also ensure that our mutating (non-idempotent) handler only
    // matches on POST requests. We can check that here, at the router level, or
    // within the handler itself via r.Method.
    r.HandleFunc("/signup/post", SubmitSignupForm).Methods("POST")

    // Add the middleware to your router by wrapping it.
    http.ListenAndServe(":8000",
        csrf.Protect([]byte("32-byte-long-auth-key"))(r))
    // PS: Don't forget to pass csrf.Secure(false) if you're developing locally
    // over plain HTTP (just don't leave it on in production).
}

func ShowSignupForm(w http.ResponseWriter, r *http.Request) {
    // signup_form.tmpl just needs a {{ .csrfField }} template tag for
    // csrf.TemplateField to inject the CSRF token into. Easy!
    t.ExecuteTemplate(w, "signup_form.tmpl", map[string]interface{}{
        csrf.TemplateTag: csrf.TemplateField(r),
    })
    // We could also retrieve the token directly from csrf.Token(r) and
    // set it in the request header - w.Header.Set("X-CSRF-Token", token)
    // This is useful if you're sending JSON to clients or a front-end JavaScript
    // framework.
}

func SubmitSignupForm(w http.ResponseWriter, r *http.Request) {
    // We can trust that requests making it this far have satisfied
    // our CSRF protection requirements.
}

Note that the CSRF middleware will (by necessity) consume the request body if the token is passed via POST form values. If you need to consume this in your handler, insert your own middleware earlier in the chain to capture the request body.

JavaScript Applications

This approach is useful if you're using a front-end JavaScript framework like React, Ember or Angular, and are providing a JSON API. Specifically, we need to provide a way for our front-end fetch/AJAX calls to pass the token on each fetch (AJAX/XMLHttpRequest) request. We achieve this by:

  • Parsing the token from the <input> field generated by the csrf.TemplateField(r) helper, or passing it back in a response header.
  • Sending this token back on every request
  • Ensuring our cookie is attached to the request so that the form/header value can be compared to the cookie value.

We'll also look at applying selective CSRF protection using gorilla/mux's sub-routers, as we don't handle any POST/PUT/DELETE requests with our top-level router.

package main

import (
    "github.com/gorilla/csrf"
    "github.com/gorilla/mux"
)

func main() {
    r := mux.NewRouter()
    csrfMiddleware := csrf.Protect([]byte("32-byte-long-auth-key"))

    api := r.PathPrefix("/api").Subrouter()
    api.Use(csrfMiddleware)
    api.HandleFunc("/user/{id}", GetUser).Methods("GET")

    http.ListenAndServe(":8000", r)
}

func GetUser(w http.ResponseWriter, r *http.Request) {
    // Authenticate the request, get the id from the route params,
    // and fetch the user from the DB, etc.

    // Get the token and pass it in the CSRF header. Our JSON-speaking client
    // or JavaScript framework can now read the header and return the token in
    // in its own "X-CSRF-Token" request header on the subsequent POST.
    w.Header().Set("X-CSRF-Token", csrf.Token(r))
    b, err := json.Marshal(user)
    if err != nil {
        http.Error(w, err.Error(), 500)
        return
    }

    w.Write(b)
}

In our JavaScript application, we should read the token from the response headers and pass it in a request header for all requests. Here's what that looks like when using Axios, a popular JavaScript HTTP client library:

// You can alternatively parse the response header for the X-CSRF-Token, and
// store that instead, if you followed the steps above to write the token to a
// response header.
let csrfToken = document.getElementsByName("gorilla.csrf.Token")[0].value

// via https://github.com/axios/axios#creating-an-instance
const instance = axios.create({
  baseURL: "https://example.com/api/",
  timeout: 1000,
  headers: { "X-CSRF-Token": csrfToken }
})

// Now, any HTTP request you make will include the csrfToken from the page,
// provided you update the csrfToken variable for each render.
try {
  let resp = await instance.post(endpoint, formData)
  // Do something with resp
} catch (err) {
  // Handle the exception
}

If you plan to host your JavaScript application on another domain, you can use the Trusted Origins feature to allow the host of your JavaScript application to make requests to your Go application. Observe the example below:

package main

import (
    "github.com/gorilla/csrf"
    "github.com/gorilla/mux"
)

func main() {
    r := mux.NewRouter()
    csrfMiddleware := csrf.Protect([]byte("32-byte-long-auth-key"), csrf.TrustedOrigins([]string{"ui.domain.com"}))

    api := r.PathPrefix("/api").Subrouter()
    api.Use(csrfMiddleware)
    api.HandleFunc("/user/{id}", GetUser).Methods("GET")

    http.ListenAndServe(":8000", r)
}

func GetUser(w http.ResponseWriter, r *http.Request) {
    // Authenticate the request, get the id from the route params,
    // and fetch the user from the DB, etc.

    // Get the token and pass it in the CSRF header. Our JSON-speaking client
    // or JavaScript framework can now read the header and return the token in
    // in its own "X-CSRF-Token" request header on the subsequent POST.
    w.Header().Set("X-CSRF-Token", csrf.Token(r))
    b, err := json.Marshal(user)
    if err != nil {
        http.Error(w, err.Error(), 500)
        return
    }

    w.Write(b)
}

On the example above, you're authorizing requests from ui.domain.com to make valid CSRF requests to your application, so you can have your API server on another domain without problems.

Google App Engine

If you're using Google App Engine, (first-generation) which doesn't allow you to hook into the default http.ServeMux directly, you can still use gorilla/csrf (and gorilla/mux):

package app

// Remember: appengine has its own package main
func init() {
    r := mux.NewRouter()
    r.HandleFunc("/", IndexHandler)
    // ...

    // We pass our CSRF-protected router to the DefaultServeMux
    http.Handle("/", csrf.Protect([]byte(your-key))(r))
}

Note: You can ignore this if you're using the second-generation Go runtime on App Engine (Go 1.11 and above).

Setting SameSite

Go 1.11 introduced the option to set the SameSite attribute in cookies. This is valuable if a developer wants to instruct a browser to not include cookies during a cross site request. SameSiteStrictMode prevents all cross site requests from including the cookie. SameSiteLaxMode prevents CSRF prone requests (POST) from including the cookie but allows the cookie to be included in GET requests to support external linking.

func main() {
    CSRF := csrf.Protect(
      []byte("a-32-byte-long-key-goes-here"),
      // instruct the browser to never send cookies during cross site requests
      csrf.SameSite(csrf.SameSiteStrictMode),
    )

    r := mux.NewRouter()
    r.HandleFunc("/signup", GetSignupForm)
    r.HandleFunc("/signup/post", PostSignupForm)

    http.ListenAndServe(":8000", CSRF(r))
}

Setting Options

What about providing your own error handler and changing the HTTP header the package inspects on requests? (i.e. an existing API you're porting to Go). Well, gorilla/csrf provides options for changing these as you see fit:

func main() {
    CSRF := csrf.Protect(
            []byte("a-32-byte-long-key-goes-here"),
            csrf.RequestHeader("Authenticity-Token"),
            csrf.FieldName("authenticity_token"),
            csrf.ErrorHandler(http.HandlerFunc(serverError(403))),
    )

    r := mux.NewRouter()
    r.HandleFunc("/signup", GetSignupForm)
    r.HandleFunc("/signup/post", PostSignupForm)

    http.ListenAndServe(":8000", CSRF(r))
}

Not too bad, right?

If there's something you're confused about or a feature you would like to see added, open an issue.

Design Notes

Getting CSRF protection right is important, so here's some background:

  • This library generates unique-per-request (masked) tokens as a mitigation against the BREACH attack.
  • The 'base' (unmasked) token is stored in the session, which means that multiple browser tabs won't cause a user problems as their per-request token is compared with the base token.
  • Operates on a "whitelist only" approach where safe (non-mutating) HTTP methods (GET, HEAD, OPTIONS, TRACE) are the only methods where token validation is not enforced.
  • The design is based on the battle-tested Django and Ruby on Rails approaches.
  • Cookies are authenticated and based on the securecookie library. They're also Secure (issued over HTTPS only) and are HttpOnly by default, because sane defaults are important.
  • Cookie SameSite attribute (prevents cookies from being sent by a browser during cross site requests) are not set by default to maintain backwards compatibility for legacy systems. The SameSite attribute can be set with the SameSite option.
  • Go's crypto/rand library is used to generate the 32 byte (256 bit) tokens and the one-time-pad used for masking them.

This library does not seek to be adventurous.

License

BSD licensed. See the LICENSE file for details.

Owner
Gorilla Web Toolkit
Gorilla is a web toolkit for the Go programming language that provides useful, composable packages for writing HTTP-based applications.
Gorilla Web Toolkit
https://github.com/gorilla/csrf https://github.com/gorilla/csrf
Comments
  • Getting 'Forbidden - CSRF token invalid' while sending Ajax POST request using javascript XMLHttpRequest()

    Getting 'Forbidden - CSRF token invalid' while sending Ajax POST request using javascript XMLHttpRequest()

    Hello, please I need help am sending many Ajax requests on my application and am making use of csrf, but some of the ajax requests returns 'Forbidden - CSRF token invalid' while some goes through without any issues and I have made sure that the javascript script code are the same on all the requests only changing the handler that each calls but still can't figure out while some don't go through, the ones am using through hidden input on forms goes through as well without any issue, my code snippet is below.

    var crsfValue = document.getElementsByTagName('meta')['gorilla.csrf.Token'].getAttribute('content');
            var xhr = new XMLHttpRequest();
            xhr.open('POST', '/Device/UnLock');
            xhr.setRequestHeader('X-CSRF-Token',crsfValue);
            xhr.send(clicked);

    Meanwhile, I always load the token using a meta tag on the head of my master page

  • [question] XHR + CSRF questions

    [question] XHR + CSRF questions

    For example, in terms of your "JavaScript Applications" example, suppose an attacker manages to let a user of the target website click a link leading to a page of the attacker's website, which in turn make the following request (I use conceptual code) to the target website (assuming that the url which supplying the innital token is 'https://target-site.com/get/token'):

    fetch('https://target-site.com/get/token')
.then(token => {
  // request the target website do something bad with the token
  fetch('https://target-site.com/do/something/bad', {
    method: 'post',
    headers: { "X-CSRF-Token": token},
    credentials: 'include'
  })
})
  • Clearing `_gorilla_csrf` cookie not regenerating

    Clearing `_gorilla_csrf` cookie not regenerating

    Hi there, I'm having trouble with the secure cookie _gorilla_csrf regenerating when I clear out the cookie from browser. I notice it only regenerates after a POST which would obviously fail and return a 403 error. I also notice that the cookie doesn't get set on page load as well.

    More context:

    • Working with a Single Page App, React
    • Using Goji for handling multiple routes
    • Passing in csrf.Protect() middleware to Goji at the root route

    Any idea what's going on?

    Any help would be appreciated!

  • [question]: Ability to ignore certain POST requests ?

    [question]: Ability to ignore certain POST requests ?

    I want to have an API structure like this

    (unauthenticated)
/register
/login

(authenticated)
/logout
/api/*

    But since both /register and /login will send data to the server, I want them to be POST requests. Now IIUC, csrf will verify all POST requests, and also it will match the cookie only for the path and its subpaths from which it was originally issued.

    Otherwise, my endpoints will look like /login/api/dothis, /login/api/dothat which will make it look very weird.

    I guess I have 2 questions -

    1. Is it possible to ignore validation on certain POST requests ?
    2. Is it possible to use a token from one path on another path ?
  • complete example

    complete example

    I can't quite get the example to work, and I keep getting Forbidden - CSRF token invalid. I'm using HTML form as illustrated and I did see an hidden input field of gorilla.csrf.Token with its value.

    am I missing something? can there be a complete example? thank you~

    ps. I even tried the example here: http://www.gorillatoolkit.org/pkg/csrf

  • CSRF 处理 multipart/form-data 的问题

    CSRF 处理 multipart/form-data 的问题

    当时使用 PathPrefix 的时候,CSRF 会失效,比如以下代码:

    CSRF := csrf.Protect( []byte("a-32-byte-long-key-goes-here"), )

    router := mux.NewRouter() router.HandleFunc("/front/", controller.FontIndex)

    adminRoutes := mux.NewRouter() adminRoutes.HandleFunc("/admin/form", controller.AdminForm)

    router.PathPrefix("/admin").Handler(negroni.New( negroni.NewRecovery(), middleware.NewCheckLogin(), negroni.Wrap(adminRoutes), ))

    n := negroni.New( negroni.NewRecovery(), )

    n.UseHandler(CSRF(router))

    log.Fatal(http.ListenAndServe(":3001", n))

    访问 http://domain/front ,CSRF是可以用的,但如果访问 http://domain/admin/form ,这时 CSRF 会失效。

  • [question] X-Csrf-Token is empty in Response headers (Secure is off)

    [question] X-Csrf-Token is empty in Response headers (Secure is off)

    Yes, my "secure" setting is set to false :)

    Using github.com/gorilla/csrf v1.7.0 and go 1.14

    I have the set up: app.localhost.com calls api.localhost.com

    Problem: Stated in title, my Response headers look like this:

    HTTP/1.1 200 OK
Access-Control-Allow-Credentials: true
Access-Control-Allow-Origin: http://app.localhost.com
Access-Control-Expose-Headers: *
Content-Length: 0
Date: Mon, 10 Aug 2020 17:07:37 GMT
Set-Cookie: testCookie=there; Domain=localhost.com; Expires=Mon, 10 Aug 2020 17:37:37 GMT; HttpOnly
Set-Cookie: _gorilla_csrf=MTU5NzA3OTI1N3xJamRvUWxwdVlVSmlaRWRqVWpkSmJVRldNRzFtVFcxUmNEbEhSQ3RZVGs5aFYyZ3hRa1JrYzNCQk5EQTlJZ289fDhJXLZGYzxZ9ctPZcVEiV3JvgsZ9VVc-55nWhOcucz-; Domain=localhost.com; Expires=Tue, 11 Aug 2020 05:07:37 GMT; Max-Age=43200; HttpOnly; SameSite=Lax
Vary: Origin
X-Csrf-Token:  // Problem right here
Xcrsf: hello!  // Shows that I can set a header

    My (pared down) server code looks like this:

    func main() {

	r := chi.NewRouter()
	r.Use(middleware.Recoverer)
	r.Use(middleware.Logger)
	r.Use(middleware.Timeout(30 * time.Second))
	r.Use(httprate.LimitByIP(100, 1*time.Minute))

	r.Use(cors.New(cors.Options{
		AllowedOrigins:   []string{"http://app.localhost.com", "http://api.localhost.com"},
		AllowCredentials: true,
		Debug:            true,
		AllowedHeaders:   []string{"Content-Type", "Sentry-Trace", "X-CSRF-Token"},
		//AllowedHeaders:   []string{"*"},
		MaxAge:           300,
		ExposedHeaders: []string{"*"},
	}).Handler)
	r.Use(AddUserIDToCTX())

	port := os.Getenv("PORT")
	if port == "" {
		port = defaultPort
	}

	csrfMiddleware := csrf.Protect([]byte("AB4F63F9AC65152575886860DDE480A1"),
		csrf.TrustedOrigins([]string{"localhost.com"}),
		csrf.Secure(false),
		csrf.ErrorHandler(http.HandlerFunc(func(res http.ResponseWriter, req *http.Request) {
			fmt.Printf("failed CSRF - %s", csrf.FailureReason(req))
		})),
	)
	r.Use(csrfMiddleware)

	r.Route("/graphql", func(r chi.Router) {
             // graphql stuff
	})

	panic(http.ListenAndServe("0.0.0.0:8089", appdb.SessionManager.LoadAndSave(r)))
}

    And then I set the header in my session middleware:

    //// Middleware decodes the share session cookie and packs the session into context
func AddUserIDToCTX() func(http.Handler) http.Handler {
	return func(next http.Handler) http.Handler {
		return http.HandlerFunc(func(w http.ResponseWriter, r *http.Request) {

			// Add CSRF Token on each request
			w.Header().Set("X-CSRF-Token", csrf.Token(r))
			w.Header().Set("xcrsf", "hello!")
			// Session stuff below
		})
	}
}

    Any idea why my header won't get set? Should I share my Traefik config?

    Ps. Love listening to the Gorilla team on the Go Time podcast!

  • csrf.Token() returns an empty token, even though _gorilla_csrf cookie is set

    csrf.Token() returns an empty token, even though _gorilla_csrf cookie is set

    I'm having trouble getting the Token() helper function to work.

    I've wrapped my root-level handler with a csrf.Protect handler, which seems to work. The handler rejects requests that don't specify the correct token, and also sets the _gorilla_csrf cookie on GET requests.

    But when I use csrf.Token for setting X-CSRF-Token as described in the docs, I get an empty string.

    Looking at the function it seems that an empty string will be returned if the context store does not contain the token secret. But I don't understand how that can be when I'm also getting the _gorilla_csrf cookie set to a non-empty value.

    Any pointers or clarification would be greatly appreciated.

  • [bug] CSRF verification fail if requests takes too long

    [bug] CSRF verification fail if requests takes too long

    Describe the bug CSRF verification fail if requests takes too long

    Versions

    Go version: go version go version go version go1.13.6 linux/amd64

    package version: run git rev-parse HEAD inside the repo stevek@stevek-macbook 12:53 ~/g/s/g/g/csrf master> git rev-parse HEAD 4b50158aba1b9683db9b198ddc61436713e778f8 stevek@stevek-macbook 12:53 ~/g/s/g/g/csrf master>

    Steps to Reproduce I use the upload features in my app. When uploading small files - or doing any other form activities it works fine. The same session try to upload a large file (2.7G) when upload finsihed the app return CSRF invalid token error.

    If I run it in the local development box and upload the same file which is much faster the error does not happen.

    I suspects it has a timeout settings somewhere but searching around does not give me the answer yet.

    Is there any timeout at the server when a csrf token is sumitted and failed to verify?

    Thanks

    Expected behavior

    What output or behaviour were you expecting instead?

    Code Snippets

    A minimum viable code snippet can be useful! (use backticks to format it).

  • Using same csrf token for form and api calls from js side

    Using same csrf token for form and api calls from js side

    Hello, guys!

    I'm developing an SPA application. Its uses an auth token and csrf token.

    So have added an hidden field with csrf token to my index.html file. Then, when i'm creating an http request i'm parsing value from this hidden field and add this token to request headers.

    But each time it fails.

    so. my server:

    func NewServer() *Server {
	csrfMiddleware := csrf.Protect(
		[]byte("32-byte-long-auth-key"),
	)

	router := mux.NewRouter()
	fs := http.FileServer(http.Dir(server.config.StaticDir))

	apiController := consoleapi.NewController()
	apiRouter := router.PathPrefix("/api/v0/controller").Subrouter()
	apiRouter.Use(csrfMiddleware)
	apiRouter.HandleFunc("/api-call", apiController.Call).Methods(http.MethodPost)
	
	// handler for index.html
        router.PathPrefix("/").Handler(csrfMiddleware(http.HandlerFunc(server.appHandler)))

	server.server = http.Server{
		Handler:        router,
	}

	return &server
}

func (server *Server) appHandler(w http.ResponseWriter, r *http.Request) {
	var data struct {
		CsrfTag            template.HTML
	}

	data.CsrfTag = csrf.TemplateField(r)

        // executing index template 
	server.templates.index.Execute(w, data) 
}

    So, my hidden input creates successfully with needed token value.

    <input type="hidden" name="gorilla.csrf.Token" value="CSRF_TOKEN">

    and each time before executing an api call i do next:

    const csrfToken = (document.getElementsByName("gorilla.csrf.Token")[0] as any).value;
const headers: Record<string, string> = {
          ...
            'X-CSRF-Token': csrfToken,
        };

    Versions

    Go version: go version go1.13.4 linux/amd64

    package version: v1.6.2 …

  • Forbidden - CSRF token invalid

    Forbidden - CSRF token invalid

    Sorry for the support question here. I can't get it working. Can you see what I've done wrong here please?

    https://s.natalian.org/2017-12-12/invalid.txt

  • [bug] Generate CSRF tokens for skipped requests

    [bug] Generate CSRF tokens for skipped requests

    Describe the bug

    (First off, I'm not 100% whether this is a bug, a feature request, or me not understanding something, so apologies if I categorized it incorrectly).

    I have a REST API that uses JWT authentication for non-browser clients, but want to support cookie-based authentication for web clients. To support this, I am calling UnsafeSkipCheck if no authentication / session cookie is present in the request (and JWT authentication will be used instead where I do not worry about CSRF).

    However, calling UnsafeSkipCheck exits so early that no CSRF token is ever generated, which means that GET requests will not be responded to with a X-CSRF-Token header, and the client has essentially no way of obtaining a CSRF token.

    Is there a reason why skipping the check prevents a token from being generated altogether? Am I just approaching this wrong?

    I can call UnsafeSkipCheck much more selectively to bypass this issue, but that doesn't feel correct.

    Versions

    Go version: go version go1.19 darwin/arm64 package version: v1.7.1

  • issues/158/examples for working api with javascript frontend

    issues/158/examples for working api with javascript frontend

    Fixes #158, which is essentially that

    1. none of the examples in the README for working with a JavaScript frontend will work without proper CORS config on the backend
    2. there is no example at all for using the HTTP header instead of getting the CSRF token from the hidden form field

    Summary of Changes

    I have merged/copied over these simplified examples from my own repository of working examples.

    I was not sure how the maintainers may want to reference these examples in the main README. Copying them over to the README verbatim would be putting a lot of code into the README, but without changing the current README, the content there differs significantly from the examples.

Related tags
Forms golang security middleware gorilla csrf csrf-protection csrf-tokens xsrf
CSRF protection middleware for Go.

nosurf nosurf is an HTTP package for Go that helps you prevent Cross-Site Request Forgery attacks. It acts like a middleware and therefore is compatib

Jan 8, 2023
A lightweight go library for parsing form data or json from an http.Request.

Forms Forms is a lightweight, but incredibly useful go library for parsing form data from an http.Request. It supports multipart forms, url-encoded fo

Dec 16, 2022
gorilla/csrf provides Cross Site Request Forgery (CSRF) prevention middleware for Go web applications & services 🔒

gorilla/csrf gorilla/csrf is a HTTP middleware library that provides cross-site request forgery (CSRF) protection. It includes: The csrf.Protect middl

Jan 9, 2023
golang csrf react example, using gorilla/mux and gorilla/mux

Demo REST backend Gorilla csrf middleware and Js frontend Use gorilla/mux and gorilla/csrf How to run open goland IDE, run middleware_test.go by click

Feb 2, 2022
fastglue-csrf implements CSRF middleware for fastglue.

fastglue-csrf Overview fastglue-csrf implements CSRF middleware for fastglue.

Jan 5, 2022
Package csrf is a middleware that generates and validates CSRF tokens for Flamego

csrf Package csrf is a middleware that generates and validates CSRF tokens for Flamego.

Nov 25, 2022
CSRF prevention for the Golang Revel framework.

revel-csrf revel-csrf implements Cross-Site Request Forgery (CSRF) attacks prevention for the Revel framework. Code is based on the nosurf package imp

Dec 7, 2022
SSRFuzz is a tool to find Server Side Request Forgery vulnerabilities, with CRLF chaining capabilities

SSRFuzz is a tool to find Server Side Request Forgery vulnerabilities, with CRLF chaining capabilities Why?

Dec 8, 2022
A collection of useful middleware for Go HTTP services & web applications 🛃

gorilla/handlers Package handlers is a collection of handlers (aka "HTTP middleware") for use with Go's net/http package (or any framework supporting

Dec 31, 2022
Package gorilla/securecookie encodes and decodes authenticated and optionally encrypted cookie values for Go web applications.

securecookie securecookie encodes and decodes authenticated and optionally encrypted cookie values. Secure cookies can't be forged, because their valu

Dec 26, 2022
CSRF protection middleware for Go.

nosurf nosurf is an HTTP package for Go that helps you prevent Cross-Site Request Forgery attacks. It acts like a middleware and therefore is compatib

Jan 8, 2023
Amazon Web Services (AWS) providerAmazon Web Services (AWS) provider

Amazon Web Services (AWS) provider The Amazon Web Services (AWS) resource provider for Pulumi lets you use AWS resources in your cloud programs. To us

Nov 10, 2021
Database security suite. Database proxy with field-level encryption, search through encrypted data, SQL injections prevention, intrusion detection, honeypots. Supports client-side and proxy-side ("transparent") encryption. SQL, NoSQL.
 Database security suite. Database proxy with field-level encryption, search through encrypted data, SQL injections prevention, intrusion detection, honeypots. Supports client-side and proxy-side (

Database protection suite with field level encryption and intrusion detection. | Acra Engineering Examples | Documentation | Installation | Examples a

Dec 28, 2022
A multi-level cache library with stampede prevention for Go

HybridCache A multi-level cache library with cache stampede prevention for Go import "github.com/cshum/hybridcache" // Redis cache adapter based on R

Nov 21, 2022
Package gorilla/sessions provides cookie and filesystem sessions and infrastructure for custom session backends.

sessions gorilla/sessions provides cookie and filesystem sessions and infrastructure for custom session backends. The key features are: Simple API: us

Dec 28, 2022
Source code related to an on-site demonstration (for Ardan Labs) of packaging Go applications with Nix

Ardan Labs Nix Demo High-Level Overview We bumbled the scheduling of an earlier presentation about git worktree that a few co-workers attended. In eff

Oct 12, 2022
The mep-agent module provides proxy services for 3rd applications to MEP.

Mep-Agent Introduction Mep-Agent is a middleware that provides proxy services for third-party apps. It can help apps, which do not implement the ETSI

Mar 9, 2022
log4jScanner: provides you with the ability to scan internal (only) subnets for vulnerable log4j web servicelog4jScanner: provides you with the ability to scan internal (only) subnets for vulnerable log4j web service
 log4jScanner: provides you with the ability to scan internal (only) subnets for vulnerable log4j web servicelog4jScanner: provides you with the ability to scan internal (only) subnets for vulnerable log4j web service

log4jScanner Goals This tool provides you with the ability to scan internal (only) subnets for vulnerable log4j web services. It will attempt to send

Jan 5, 2023
This package provides json web token (jwt) middleware for goLang http servers

jwt-auth jwt auth middleware in goLang. If you're interested in using sessions, checkout my sessions library! README Contents: Quickstart Performance

Dec 5, 2022
Validate Golang request data with simple rules. Highly inspired by Laravel's request validation.
 Validate Golang request data with simple rules. Highly inspired by Laravel's request validation.

Validate golang request data with simple rules. Highly inspired by Laravel's request validation. Installation Install the package using $ go get githu

Dec 29, 2022