sails.config.csrf
Configuration for Sails' built-in CSRF protection middleware. These options are conventionally set in the config/csrf.js configuration file. See the docs on Cross-Site Request Forgery in the security section for detailed usage instructions.
This option protects your Sails app against cross-site request forgery (or CSRF) attacks. A would-be attacker needs not only a user's session cookie, but also this timestamped, secret CSRF token, which is refreshed/granted when the user visits a URL on your app's domain.
This allows you to have certainty that your users' requests haven't been hijacked, and that the requests they're making are intentional and legitimate.
Properties
| Property | Type | Default | Details |
|---|---|---|---|
csrf |
((boolean)) or ((object)) | false | CSRF protection is disabled by default to facilitate development. To turn it on, just set sails.config.csrf to true, or to an object as described below. |
csrf object settings
Besides true and false, you can set sails.config.csrf to an object with the following properties:
| Property | Type | Default | Details |
|---|---|---|---|
grantTokenViaAjax |
((boolean)) | true | Whether to activate the /csrfToken route, which will return the current CSRF token value which can then be used in AJAX requests. |
origin |
((string)) | '' | Comma-delimited list of origins that are allowed to access the CSRF token via the /csrfToken route. This is separate from the other CORS settings, which do not apply to /csrfToken. |
routesDisabled |
((string)) | '' | Comma-delimited list of routes where CSRF protection is disabled. |