Go 的 CSRF 中間件:nosurf

jopen 12年前發布 | 16K 次閱讀 nosurf Google Go/Golang開發

nosurf 是 Go 語言的一個 CSRF 跨站請求偽造(Cross Site Request Forgery) 中間件,可嵌入到 net/http 中使用,可方便與 Gorilla 和 Martini 框架結合使用。

特性:

  • Supports any http.Handler (frameworks, your own handlers, etc.) and acts like one itself.
  • Allows exempting specific endpoints from CSRF checks by an exact URL, a glob, or a regular expression.
  • Allows specifying your own failure handler. Want to present the hacker with an ASCII middle finger instead of the plain old HTTP 400? No problem.
  • Has no dependencies outside the Go standard library.

示例代碼:

package main

import (
    "fmt"
    "github.com/justinas/nosurf"
    "html/template"
    "net/http"
)

var templateString string = `
<!doctype html>
<html>
<body>
{{ if .name }}
<p>Your name: {{ .name }}</p>
{{ end }}
<form action="/" method="POST">
<input type="text" name="name">

<!-- Try removing this or changing its value
     and see what happens -->
<input type="hidden" name="csrf_token" value="{{ .token }}">
<input type="submit" value="Send">
</form>
</body>
</html>
`
var templ = template.Must(template.New("t1").Parse(templateString))

func myFunc(w http.ResponseWriter, r *http.Request) {
    context := make(map[string]string)
    context["token"] = nosurf.Token(r)
    if r.Method == "POST" {
        context["name"] = r.FormValue("name")
    }

    templ.Execute(w, context)
}

func main() {
    myHandler := http.HandlerFunc(myFunc)
    fmt.Println("Listening on http://127.0.0.1:8000/")
    http.ListenAndServe(":8000", nosurf.New(myHandler))
}

項目主頁:http://www.baiduhome.net/lib/view/home/1385008718875

 本文由用戶 jopen 自行上傳分享,僅供網友學習交流。所有權歸原作者,若您的權利被侵害,請聯系管理員。
 轉載本站原創文章,請注明出處,并保留原始鏈接、圖片水印。
 本站是一個以用戶分享為主的開源技術平臺,歡迎各類分享!