This middleware prevents CSRF attacks by providing a randomly-generated anti-forgery token.
Add the following dependency to your project.clj:
[ring-anti-forgery "0.3.0"]
Apply the wrap-anti-forgery middleware to your Ring handler, along
with the standard wrap-session middleware supplied in Ring core:
(use 'ring.middleware.anti-forgery
'ring.middleware.session)
(def app
(-> handler
wrap-anti-forgery
wrap-session))Any request that isn't a HEAD or GET request will now require an
anti-forgery token, or an "access denied" response will be returned.
The token is bound to the session, and accessible via the
*anti-forgery-token* var.
By default the middleware looks for the anti-forgery token in the
__anti-forgery-token form parameter, which can be added to your
forms as a hidden field. For convenience, this library provides a
function to generate the HTML of that hidden field:
(use 'ring.util.anti-forgery)
(anti-forgery-field) ;; returns the HTML for the anti-forgery fieldThe middleware also looks for the token in the X-CSRF-Token and
X-XSRF-Token header fields. This behavior can be customized further
using the :read-token option:
(defn get-custom-token [request]
(get-in request [:headers "x-forgery-token"]))
(def app
(-> handler
(wrap-anti-forgery {:read-token get-custom-token})
(wrap-session)))It's also possible to customize the error response returned when the token is invalid or missing:
(def custom-error-response
{:status 403
:headers {"Content-Type" "text/html"}
:body "<h1>Missing anti-forgery token</h1>"})
(def app
(-> handler
(wrap-anti-forgery {:error-response custom-error-response})
(wrap-session)))The anti-forgery middleware will prevent POSTs, PUTs, PATCHes, and DELETEs, working for web service routes, so you should only apply this middleware to the part of your website meant to be accessed by browsers.
Copyright © 2013 James Reeves
Distributed under the MIT License.