Class CSRFProtection
Used to generate and validate CSRF tokens. CSRFProtection allows applications to protect themselves against CSRF attacks, using synchronizer tokens, a best practice. Once created, these tokens are tied to a user’s session and valid for 60 minutes.
Usage:
Adding CSRF token to forms:
Then, in scripts call:
| Property | Description |
|---|---|
tokenName: String (read-only) | Returns the system generated CSRF token name. |
This class does not have a constructor, so you cannot create it directly.
| Method | Description |
|---|---|
| static generateToken() | Constructs a new unique CSRF token for this session. |
| static getTokenName() | Returns the system generated CSRF token name. |
| static validateRequest() | Verifies that a client request contains a valid CSRF token, and that the token has not expired. |
assign, create, create, defineProperties, defineProperty, entries, freeze, fromEntries, getOwnPropertyDescriptor, getOwnPropertyNames, getOwnPropertySymbols, getPrototypeOf, hasOwnProperty, is, isExtensible, isFrozen, isPrototypeOf, isSealed, keys, preventExtensions, propertyIsEnumerable, seal, setPrototypeOf, toLocaleString, toString, valueOf, values
- tokenName: String
(read-only) Returns the system generated CSRF token name. Currently, this name is not user configurable. Must be used for validateRequest() to work
- static generateToken(): String
Constructs a new unique CSRF token for this session.
Returns:
- a new CSRF token
- static getTokenName(): String
Returns the system generated CSRF token name. Currently, this name is not user configurable. Must be used for validateRequest() to work
Returns:
- System-generated CSRF token parameter name
- static validateRequest(): Boolean
Verifies that a client request contains a valid CSRF token, and that the token has not expired. Returns true if these conditions are met, and false otherwise
Returns:
- true if request contains a valid CSRF token, false otherwise