Starlette middleware implementing Double Submit Cookie technique to mitigate CSRF.
Project description
Starlette CSRF Middleware
Starlette middleware implementing Double Submit Cookie technique to mitigate CSRF.
How it works?
- The user makes a first request with a method considered safe (by default
GET
,HEAD
,OPTIONS
,TRACE
). - It receives in response a cookie (named by default
csrftoken
) which contains a secret value. - When the user wants to make an unsafe request, the server expects them to send the same secret value in a header (named by default
x-csrftoken
). - The middleware will then compare the secret value provided in the cookie and the header.
- If they match, the request is processed.
- Otherwise, a
403 Forbidden
error response is given.
This mechanism is necessary if you rely on cookie authentication in a browser. You can have more information about CSRF and Double Submit Cookie in the OWASP Cheat Sheet Series.
Installation
pip install starlette-csrf
Usage with Starlette
from starlette.applications import Starlette
from starlette.middleware import Middleware
from starlette_csrf import CSRFMiddleware
routes = ...
middleware = [
Middleware(CSRFMiddleware, secret="__CHANGE_ME__")
]
app = Starlette(routes=routes, middleware=middleware)
Usage with FastAPI
from fastapi import FastAPI
from starlette_csrf import CSRFMiddleware
app = FastAPI()
app.add_middleware(CSRFMiddleware, secret="__CHANGE_ME__")
Arguments
secret
(str
): Secret to sign the CSRF token value. Be sure to choose a strong passphrase and keep it SECRET.sensitive_cookies
(Set[str]
-None
): Set of cookie names that should trigger the CSRF check if they are present in the request. Useful if you have other authentication methods that don't rely on cookies and don't need CSRF enforcement. If this parameter isNone
, the default, CSRF is always enforced.cookie_name
(str
-csrftoken
): Name of the cookie.cookie_path
str
-/
): Cookie path.cookie_domain
(Optional[str]
-None
): Cookie domain. If your frontend and API lives in different sub-domains, be sure to set this argument with your root domain to allow your frontend sub-domain to read the cookie on the JavaScript side.cookie_secure
(bool
-False
): Whether to only send the cookie to the server via SSL request.cookie_samesite
(str
-lax
): Samesite strategy of the cookie.header_name
(str
-x-csrftoken
): Name of the header where you should set the CSRF token.safe_methods
(Set[str]
-{"GET", "HEAD", "OPTIONS", "TRACE"}
): HTTP methods considered safe which don't need CSRF protection.
Development
Setup environment
You should create a virtual environment and activate it:
python -m venv venv/
source venv/bin/activate
And then install the development dependencies:
pip install -r requirements.dev.txt
Run unit tests
You can run all the tests with:
make test
Format the code
Execute the following command to apply isort
and black
formatting:
make format
License
This project is licensed under the terms of the MIT license.
Project details
Release history Release notifications | RSS feed
Download files
Download the file for your platform. If you're not sure which to choose, learn more about installing packages.
Source Distribution
starlette-csrf-1.2.1.tar.gz
(7.2 kB
view hashes)
Built Distribution
Close
Hashes for starlette_csrf-1.2.1-py3-none-any.whl
Algorithm | Hash digest | |
---|---|---|
SHA256 | 07aa3502eb7fbe06655a7cb44dc1c872338d32b6ca630e8777dad3b750d7361c |
|
MD5 | 1e5bf6f99e66848022db8a009dc2fb20 |
|
BLAKE2b-256 | 45d070bc337a91801fcf3887463085d407298cadee25a92b6fdaf012bcbcb1df |