Overview
ShipSecure CSRF is a suite of high-performance, framework-agnostic security libraries designed to protect modern Node.js applications against Cross-Site Request Forgery (CSRF).
Unlike traditional CSRF middleware that relies on server-side sessions (and therefore Redis or databases), ShipSecure implements the Double-Submit Cookie Pattern with HMAC signing. This makes it:
- Stateless: Perfect for Serverless, Edge, and Microservices.
- Fast: No database lookups required to validate a request.
- Secure: Uses strong cryptographic signing (HMAC-SHA256) and optional Subject Binding to prevent token theft/replay attacks.
How it Works
The Double-Submit Cookie pattern relies on the concept that a malicious site can write data to your API, but it cannot read the cookies set by your domain.
Token Issue: The server generates a signed token and sends it twice:
- Once as an HttpOnly cookie (which the browser handles automatically).
- Once in the response body (which the client JavaScript reads).
Request: When performing a state-changing action (POST, PUT, DELETE), the client reads the token from the response and sends it in a specific HTTP Header (e.g., x-csrf-token).
Validation: The server verifies that the token in the Header matches the token in the Cookie. Since an attacker cannot read the HttpOnly cookie, they cannot forge the matching header. Also the tokens authenticitiy is verified.