Iron Double Submit Cookie Cross-Site Request Forgery

Iron middleware providing CSRF protection.

Usage Example

```rust extern crate irondsccsrf; extern crate iron;

use irondsccsrf::Csrf; use iron::AroundMiddleware; use iron::prelude::*; use iron::status;

fn main() { let csrf = Csrf::new(extract_token);

let handler = csrf.around(Box::new(index));

// Make and start the server
Iron::new(handler).http("localhost:8080").unwrap();

}

fn extract_token(request: &Request) -> Option { // Here you can extract the token from the form body, the query string, // or anywhere else you like. In this simple example, we treat the entire // query string as the CSRF token.

request.url.query().map(|x| x.to_owned())

}

fn index(request: &mut Request) -> IronResult { let token = request.extensions.get::().unwrap(); let msg = format!("Hello, CSRF Token: {}", token); Ok(Response::with((status::Ok, msg))) } ```

Overview

iron-dsc-csrf is an Iron middleware that provides protection against Cross-Site Request Forgery attacks. For more information on CSRF attacks, see OWASP's, and Wikipedia's articles.

This middleware uses an approach called Double Submit Cookie, where a random token is generated and stored client-side in a cookie. Any time an unsafe HTTP method (ex. POST, PUT, etc) is used, the submission must also include the token from the cookie. OWASP has a more detailed description.