Security

Linz comes with a number of security features out of the box including:

  • CSRF Protection

CSRF Protection#

CSRF protection helps prevent unauthorized commands that are transmitted from a user that the web application trusts.

You can read more about CSRF on OWASP.

Customising CSRF#

Linz uses the csurf module to provide CSRF protection.

To customise the options you can supply Linz with the option 'csrf options: {}'. It accepts an object with the same properties as the csurf module:

linz.init({
options: {
'csrf options': {},
},
});

Custom error handler#

CSRF errors throw an error with the code err.code === 'EBADCSRFTOKEN'. You can use this in your error handlers to display a custom message.

For example, here is a snippet from the linz error middleware:

module.exports = function (err, req, res, next) {
if (err.code === 'EBADCSRFTOKEN') {
err.message = (!req.body._csrf || req.body._csrf === 'undefined') ? 'No CSRF token was provided.' : 'The wrong CSRF token was provided.';
}
...
}

Adding CSRF protection to a custom form#

The csurf module exposes the csrf token via req.csrfToken().

When implementing a custom page with a form, make sure to pass the following hidden input:

<input type="hidden" name="_csrf" value="{{csrfToken}}" />

This is handled automatically for you when using linz.api.model.generateFormString(). Just make sure to add the csrfToken option:

linz.api.model.generateFormString(linz.api.model.get('user'), {
csrfToken: req.csrfToken(),
});
Edit this page