CSRF 防护实现指南：同步令牌、双重提交Cookie、SameSite属性全面解析

csrf-protection by aj-geddes/useful-ai-prompts

155 周安装量

160 GitHub Stars

GitHub

安装命令

npx skills add https://github.com/aj-geddes/useful-ai-prompts --skill csrf-protection

Node.js Web应用安全

🇨🇳中文介绍

CSRF 防护

概述

使用同步令牌、双重提交 Cookie、SameSite Cookie 属性和自定义标头来实现全面的跨站请求伪造防护。

使用场景

表单提交
状态变更操作
认证系统
支付处理
账户管理
任何 POST/PUT/DELETE 请求

快速开始

最小工作示例：

// csrf-protection.js
const crypto = require("crypto");
const csrf = require("csurf");

class CSRFProtection {
  constructor() {
    this.tokens = new Map();
    this.tokenExpiry = 3600000; // 1 hour
  }

  /**
   * Generate CSRF token
   */
  generateToken() {
    return crypto.randomBytes(32).toString("hex");
  }

  /**
   * Create token for session
   */
  createToken(sessionId) {
    const token = this.generateToken();
    const expiry = Date.now() + this.tokenExpiry;

    this.tokens.set(sessionId, {
// ... (完整实现请参阅参考指南)

参考指南

references/ 目录下的详细实现：

广告位招租

在这里展示您的产品或服务

触达数万 AI 开发者，精准高效

联系我们

指南	内容
Node.js/Express CSRF 防护	Node.js/Express CSRF 防护
双重提交 Cookie 模式	双重提交 Cookie 模式
Python Flask CSRF 防护	Python Flask CSRF 防护
前端 CSRF 实现	前端 CSRF 实现
Origin 和 Referer 验证	Origin 和 Referer 验证

🇺🇸English

CSRF Protection

Overview
When to Use
Quick Start
Reference Guides
Best Practices

Overview

Implement comprehensive Cross-Site Request Forgery protection using synchronizer tokens, double-submit cookies, SameSite cookie attributes, and custom headers.

When to Use

Form submissions
State-changing operations
Authentication systems
Payment processing
Account management
Any POST/PUT/DELETE requests

Quick Start

Minimal working example:

// csrf-protection.js
const crypto = require("crypto");
const csrf = require("csurf");

class CSRFProtection {
  constructor() {
    this.tokens = new Map();
    this.tokenExpiry = 3600000; // 1 hour
  }

  /**
   * Generate CSRF token
   */
  generateToken() {
    return crypto.randomBytes(32).toString("hex");
  }

  /**
   * Create token for session
   */
  createToken(sessionId) {
    const token = this.generateToken();
    const expiry = Date.now() + this.tokenExpiry;

    this.tokens.set(sessionId, {
// ... (see reference guides for full implementation)

Reference Guides

Detailed implementations in the references/ directory:

Guide	Contents
Node.js/Express CSRF Protection	Node.js/Express CSRF Protection
Double Submit Cookie Pattern	Double Submit Cookie Pattern
Python Flask CSRF Protection	Python Flask CSRF Protection
Frontend CSRF Implementation	Frontend CSRF Implementation
Origin and Referer Validation	Origin and Referer Validation

Best Practices

✅ DO

Use CSRF tokens for all state-changing operations
Set SameSite=Strict on cookies
Validate Origin/Referer headers
Use secure, random tokens
Implement token expiration
Use HTTPS only
Include tokens in AJAX requests
Test CSRF protection

❌ DON'T

Skip CSRF for authenticated requests
Use GET for state changes
Trust Origin header alone
Reuse tokens
Store tokens in localStorage
Allow credentials in CORS without validation

Weekly Installs

115

Repository

aj-geddes/usefu…-prompts

GitHub Stars

126

First Seen

Jan 21, 2026

Security Audits

Gen Agent Trust HubPass SocketPass SnykPass

Installed on

opencode98

gemini-cli95

codex94

cursor90

claude-code87

github-copilot79