- Home
- Skills
- Harperaa
- Secure Claude Skills
- Csrf Protection
csrf-protection_skill
- JavaScript
4
GitHub Stars
1
Bundled Files
2 months ago
Catalog Refreshed
4 months ago
First Indexed
Readme & install
Copy the install command, review bundled files from the catalogue, and read any extended description pulled from the listing source.
Installation
Preview and clipboard use veilstrat where the catalogue uses aiagentskills.
npx veilstrat add skill harperaa/secure-claude-skills --skill csrf-protection- SKILL.md16.0 KB
Overview
This skill implements robust CSRF protection for API routes in JavaScript applications. It provides HMAC-signed, session-bound, single-use tokens delivered via an API endpoint and validated by middleware to block cross-site request forgery. The design uses secure cookies (HttpOnly, SameSite=Strict) and short-lived tokens to minimize risk from token theft or interception.
How this skill works
The skill generates a random token and signs it with HMAC-SHA256 using a server secret and the user's session ID, then returns the token to the client while storing the session-bound proof in an HTTP-only cookie. A middleware wrapper extracts the X-CSRF-Token header and session cookie on protected POST/PUT/DELETE requests, verifies the HMAC signature in constant time, clears the token after use, and either calls your handler or returns HTTP 403 when validation fails.
When to use it
- Protect POST, PUT, PATCH, DELETE or any state-changing API endpoints
- Secure form submissions from client-side applications
- Prevent cross-origin or hidden-form attacks (iframes, auto-submits)
- Add defense-in-depth for authenticated routes that rely on cookies
- Use alongside rate limiting and authentication middleware
Best practices
- Always fetch the CSRF token from a dedicated endpoint using credentials: 'include' before submitting sensitive requests
- Send the token in the X-CSRF-Token header, never in URL query parameters
- Bind tokens to session identifiers and mark cookies HttpOnly and SameSite=Strict
- Make tokens single-use and short-lived to limit exposure if stolen
- Apply protection to all state-changing endpoints and combine with rate limiting
Example use cases
- Protect a contact form submission endpoint in a Next.js API route
- Secure account deletion, password change, and payment endpoints
- Protect RESTful APIs that rely on cookie-based session authentication
- Combine with rate limiting middleware for high-value actions
- Automated test scripts that validate 403 responses for missing/invalid tokens
FAQ
Call the token endpoint with credentials: 'include' to receive a JSON response containing the CSRF token and set the session cookie.
What happens if the token is missing or invalid?
The middleware returns HTTP 403 Forbidden and does not invoke your handler, preventing the state change.
Can tokens be reused or stolen via XSS?
Tokens are single-use and session-bound; HttpOnly cookies and SameSite=Strict reduce theft risk. Single-use tokens make captured values useless after one request.