crumb - CSRF crumb generation and validation for hapi

  •        16

Crumb is used to diminish CSRF attacks using a random unique token that is validated on the server side.Crumb may be used whenever you want to prevent malicious code to execute system commands, that are performed by HTTP requests. For example, if users are able to publish code on your website, malicious code added by a user could force every other user who opens the page, to load and execute code from a third party website e.g. via an HTML image tag. With Crumb implemented into your hapi.js application, you are able to verify requests with unique tokens and prevent the execution of malicious requests.

https://github.com/hapijs/crumb

Dependencies:

boom : 7.x.x
cryptiles : 4.x.x
hoek : 5.x.x
joi : 13.x.x

Tags
Implementation
License
Platform

   




Related Projects

makemehapi - Self guided workshops to teach you about hapi.

  •    Javascript

Learn all about hapi through a series of self-guided challenges.makemehapi will run you through a series of challenges ranging from a basic "hello world" server then move on to more advanced exercises dealing with rendering views, handling uploads, and managing cookies.

cookie - Cookie authentication plugin

  •    Javascript

Cookie authentication provides simple cookie-based session management. The user has to be authenticated via other means, typically a web form, and upon successful authentication the browser receives a reply with a session cookie. The cookie uses Iron to encrypt and sign the session content. Subsequent requests containing the session cookie are authenticated and validated via the provided validateFunc in case the cookie's encrypted content requires validation on each request.

university - Community learning experiment

  •    Javascript

Welcome to hapijs university. A community learning experiment utilizing the distributed classroom. The idea is simple - use GitHub as a platform for teaching people coding skills as a group, everyone is both a student and a teacher. The goal is to learn how to operate such a distributed classroom and then apply that pattern to other topics.hapijs/university started as a group coding learning experiment. The university developed an application covering the essentials of a hapi application: authentication, validation, application architecture, testing, and more. To track future development watch the issues list.

SessionManager

  •    Perl

An Apache / mod perl Session manager that will transparently supply a session ID from the client request. Creating one if neccessary useing cookies or munged URI's if cookies are off. It does not store session info - Use the excellent Apache::Session

csurf - CSRF token middleware

  •    Javascript

Node.js CSRF protection middleware. Requires either a session middleware or cookie-parser to be initialized first.


SecureCookieHttpModule

  •    ASPNET

Secure your session cookie (and other session-based) cookies for replay attacks using this easy to use ASP.NET HttpModule.

good - hapi process monitoring

  •    Javascript

good is a hapi plugin to monitor and report on a variety of hapi server events as well as ops information from the host machine. It listens for events emitted by hapi server instances and pushes standardized events to a collection of streams.See the Reporter Interface section of the API documentation on how to configure reporters.

akka-http-session - Web & mobile client-side akka-http sessions, with optional JWT support

  •    Java

akka-http is an Akka module, originating from spray.io, for building reactive REST services with an elegant DSL. akka-http is a great toolkit for building backends for single-page or mobile applications. In almost all apps there is a need to maintain user sessions, make sure session data is secure and cannot be tampered with.

cookie-session - Simple cookie-based session middleware

  •    Javascript

Simple cookie-based session middleware. A user session can be stored in two main ways with cookies: on the server or on the client. This module stores the session data on the client within a cookie, while a module like express-session stores only a session identifier on the client within a cookie and stores the session data on the server, typically in a database.

nes - WebSocket adapter plugin for hapi routes

  •    Javascript

nes adds native WebSocket support to hapi-based application servers. Instead of treating the WebSocket connections as a separate platform with its own security and application context, nes builds on top of the existing hapi architecture to provide a flexible and organic extension.The full client and server API is available in the API documentation.

evilginx2 - Standalone man-in-the-middle attack framework used for phishing login credentials along with session cookies, allowing for the bypass of 2-factor authentication

  •    Go

evilginx2 is a man-in-the-middle attack framework used for phishing login credentials along with session cookies, which in turn allows to bypass 2-factor authentication protection. This tool is a successor to Evilginx, released in 2017, which used a custom version of nginx HTTP server to provide man-in-the-middle functionality to act as a proxy between a browser and phished website. Present version is fully written in GO as a standalone application, which implements its own HTTP and DNS server, making it extremely easy to set up and use.

flask-sockets - Elegant WebSockets for your Flask apps.

  •    Python

Elegant WebSockets for your Flask apps. Combining WebSockets with Ajax (XHR) endpoints also comes handy with the support of session handling built-in to sockets as well. As an example you could use an Ajax login call which would create a new session and accordingly set a secure HttpOnly cookie to the browser. After authorization, you can connect to the WebSocket endpoint and reuse the session handling from Flask there as well (as shown here: https://pythonhosted.org/Flask-Session/). Access to other custom cookies is also possible via Flasks request.cookies property.

bell - Third-party login plugin for hapi

  •    Javascript

Third-party authentication plugin for hapi.bell ships with built-in support for authentication using Facebook, GitHub, Google, Google Plus, Instagram, LinkedIn, Slack, Stripe, Twitter, Yahoo, Foursquare, VK, ArcGIS Online, Windows Live, Nest, Phabricator, BitBucket, Dropbox, Reddit, Tumblr, Twitch, Mixer, Salesforce, Pinterest, Discord, DigitalOcean, AzureAD, trakt.tv and Okta. It also supports any compliant OAuth 1.0a and OAuth 2.0 based login services with a simple configuration object.

hapi-auth-jwt2 - :lock: Secure Hapi

  •    Javascript

This node.js module (Hapi plugin) lets you use JSON Web Tokens (JWTs) for authentication in your Hapi.js web application.

CheesyPy

  •    Python

CheesyPy - a library for creating websites somewhat like CherryPy, featuring a builtin web-server (HTTPLib) with session management (not using Cookies) and a plugin architecture (PageLib) for webpages.

play-rest-security

  •    Java

The move towards Single Page Apps and RESTful services open the doors to a much better way of securing web applications. Traditional web applications use browser cookies to identify a user when a request is made to the server. This approach is fundamentally flawed and causes many applications to be vulnerable to Cross-Site Request Forgery (CSRF) attacks. When used correctly, RESTful services can avoid this vulnerability altogether. Before we go into the solution, lets recap the problem. HTTP is a stateless protocol. Make a request and get a response. Make another request and get another response. There is no correlation (i.e. "state") between these requests. This poses a problem when you need to identify a user to the system because one request logs the user in and another request needs to tell the server who is making the request.

hoodie-server - :dog: Hapi plugin for Hoodie’s server core module

  •    Javascript

Have a look at the Hoodie project's contribution guidelines. If you want to hang out you can join our Hoodie Community Chat.

csrf - gorilla/csrf provides Cross Site Request Forgery (CSRF) prevention middleware for Go web applications & services

  •    Go

gorilla/csrf is also compatible with middleware 'helper' libraries like Alice and Negroni....and then collect the token with csrf.Token(r) in your handlers before passing it to the template, JSON body or HTTP header (see below).