Ring middleware extension that prevents CSRF attacks by via an encrypted token. Using these strategies, you can protect your application against cross-site forgery requests without the need for server state.
Add the following dependency to your project.clj
:
[ring/ring-anti-forgery "1.2.0"]
[gorillalabs/ring-anti-forgery-strategies "1.2.0"]
Use the ring.middleware.anti-forgery/wrap-oauth2
middleware, but add
the :strategy
option, using one of the two strategies based upon
encryption or cryptographic signing.
For a symmetrically encrypted token use
(require '[ring.middleware.anti-forgery.encrypted-token :as encrypted-token]
'[ring.middleware.anti-forgery :refer :all]
'[buddy.core.keys :as keys]
'[clj-time.core :as time])
(let [expires-in-one-hour (time/hours 1)
secret "secret-to-validate-token-after-decryption-to-make-sure-i-encrypted-stuff"
encrypted-token-strategy (encrypted-token/encrypted-token
secret
expires-in-one-hour :identity)]
(wrap-anti-forgery handler {:strategy encrypted-token-strategy}))
To cryptographically sign a token, you need a public-/private keypair.
Public and private keys were created using commands from buddy-sign dokumentation.
Generate aes256 encrypted private key:
openssl genrsa -aes256 -out privkey.pem 2048
Generate public key from previously created private key:
openssl rsa -pubout -in privkey.pem -out pubkey.pem
Maybe you need to install the Java Cryptography Extension (JCE) Unlimited Strength Jurisdiction Policy Files.
(require '[ring.middleware.anti-forgery.signed-token :as signed-token]
'[ring.middleware.anti-forgery :refer :all]
'[buddy.core.keys :as keys]
'[clj-time.core :as time])
(let [expires-in-one-hour (time/hours 1)
secret "secret-to-validate-token-after-decryption-to-make-sure-i-encrypted-stuff"
signed-token-strategy (signed-token/signed-token
(keys/public-key "dev-resources/test-certs/pubkey.pem")
(keys/private-key "dev-resources/test-certs/privkey.pem" "antiforgery")
expires-in-one-hour
:identity)]
(wrap-anti-forgery handler {:strategy signed-token-strategy}))
Make sure to always use tls (https) for your services, here especially use it to prevent replay attacks!
Copyright © 2018 Christian Betz
Distributed under the MIT License, the same as Ring.