NodeJS

Express

CSRF

If you want to implement CSRF protection in express for a SPA application you need to inject the token into the template html, this is best done using steams for performance. This code also uses express sessions instead of cookies for tracking the tokens.

const Transform		= require("stream").Transform;
const newLineStream = require("new-line");
const fs			= require("fs");
const csurf			= require("csurf");
const session		= require("express-session");

const csrfProtection		= csurf();
const app					= express();

app.use(session({
	secret: crypto.randomBytes(32).toString("hex"),
	resave: false,
	saveUninitialized: true,
	cookie: { secure: serverConfig.protocol === "https" }
}));

const csrfInject = (req, res, file) => {
	const streamParser = new Transform();

	// Modify the transform to inject custom code.
	streamParser._transform = function (data, encoding, done) {
		const str = data.toString().replace("</head>", `<meta content="${req.csrfToken()}" name="csrf-token" /></head>`);
		this.push(str);
		done();
	};

	res.set("Content-Type", "text/html");

	// Send the file.
	return fs.createReadStream(file)
		.pipe(newLineStream())
		.pipe(streamParser)
		.on("error", console.error)
		.pipe(res);
};

app.get("/*", csrfProtection, (req, res, next) => {
	return csrfInject(req, res, path.resolve(__dirname,"../dist/index.html"));
});

// app.post("/endpoint", csrfProtection ...

See also

• Introduction to NPM
• VueJS