io.pedestal.http.csrf
CSRF protection interceptor support, compatible with ring-anti-forgery
access-denied-response
(access-denied-response body)
anti-forgery
(anti-forgery)
(anti-forgery options)
Interceptor that prevents CSRF attacks. Any POST/PUT/PATCH/DELETE request to
the handler returned by this function must contain a valid anti-forgery
token, or else an access-denied response is returned.
The anti-forgery token can be placed into a HTML page via the
::anti-forgery-token within the request, which is bound to a random key
unique to the current session. By default, the token is expected to be in a
form field named '__anti-forgery-token', or in the 'X-CSRF-Token' or
'X-XSRF-Token' headers.
This behavior can be customized by supplying a map of options:
:read-token
a function that takes a request and returns an anti-forgery token, or nil
if the token does not exist.
:cookie-token
a truthy value, if you want a CSRF double-submit cookie set
:error-response
the response to return if the anti-forgery token is incorrect or missing.
:error-handler
a handler function (passed the context) to call if the anti-forgery
token is incorrect or missing (intended to return a valid response).
Only one of :error-response, :error-handler may be specified.
existing-token
(existing-token request)