npmpackage.info

Gathering detailed insights and metrics for @nartix/next-csrf

@nartix/next-csrf - 0.1.3 | npmpackage.info

@nartix/next-csrf

A CSRF protection middleware for NextJS 15

0.1.3

MIT

16.51 kB

Installations

npm install @nartix/next-csrf

Developer Guide

BETA

Typescript

Yes

Module System

ESM

Node Version

20.18.1

NPM Version

10.8.2 Pull Requests

Open

0

Total

0

Closed

0

Issues

Open

0

Total

0

Closed

0

Releases

v0.1.3

Updated on Jan 09, 2025

v0.1.2

Updated on Jan 08, 2025

v0.1.1

Updated on Jan 07, 2025

v0.1.0

Updated on Jan 07, 2025

View All 4 releases

Developer

nartix

Download Statistics

Total Downloads

Last Day

Last Week

Last Month

Last Year

GitHub Statistics

MIT License

1 Stars

11 Commits

1 Watchers

1 Branches

1 Contributors

Updated on Jan 29, 2025

Maintainers

View All 1 Contributors

Package Meta Information

Latest Version

0.1.3

Package Id

@nartix/next-csrf@0.1.3

Unpacked Size

16.51 kB

Size

5.63 kB

File Count

NPM Version

10.8.2

Node Version

20.18.1

Published on

Jan 09, 2025

Total Downloads

Cumulative downloads

Total Downloads

NaN

Last Day

NaN

Compared to previous day

Last Week

NaN

Compared to previous week

Last Month

NaN

Compared to previous month

Last Year

NaN

Compared to previous year

Weekly Downloads

Monthly Downloads

Yearly Downloads

Dependencies

@nartix/edge-token

Peer Dependencies

Dev Dependencies

jest typescript

Next CSRF

A lightweight CSRF protection middleware for Next.js on the Edge Runtime. It performs a double check on the CSRF token by comparing the token from the request body or headers with the token stored in the cookie. You can access the token via request header or by reading the cookie value.

Installation

1npm install @nartix/next-csrf

Quick Start

Below is a minimal example of how to integrate this middleware in a Next.js app:

1// middleware.ts (or middleware.js)
2import { NextRequest, NextResponse } from 'next/server';
3import { createNextCsrfMiddleware } from '@nartix/next-csrf';
4
5export async function middleware(req: NextRequest) {
6  const res = NextResponse.next();
7
8  // Provide any custom options here
9  const csrfOptions = {
10    secret: 'your-secret-key', // Required
11    // Additional options can be specified
12  };
13
14  return createNextCsrfMiddleware(req, res, csrfOptions);
15}

Default Configuration

Below is an example of the default configuration. You can override any of these options in the middleware:

1// default config
2
3{
4  headerName: 'X-CSRF-TOKEN',
5  formFieldName: 'csrf_token',
6  excludeMethods: ['GET', 'HEAD', 'OPTIONS'],
7  algorithm: 'SHA-256',
8  tokenByteLength: 32,
9  separator: '.',
10  enableHeaderCheckForJson: false,
11  cookie: {
12    name: 'CSRF-TOKEN',
13    path: '/',
14    httpOnly: true,
15    secure: process.env.NODE_ENV === 'production',
16    sameSite: 'strict',
17    maxAge: 60 * 60 * 24 * 7, // 1 week
18    domain: undefined,
19  },
20}

How It Works

Token Generation: If the CSRF-TOKEN cookie does not exist, the middleware generates a new token and sets it as a cookie.
Double Check: It compares the token in the cookie to the token from the request—either via a form field, JSON body, or request header.
Verification: The token is then cryptographically validated with your secret.
Optional Header Access: You can configure enableHeaderCheckForJson to allow tokens to be read directly from headers for JSON requests.

Error Handling

If token validation fails, the middleware automatically returns a 403 Forbidden response with a JSON error message.

License

MIT License. Feel free to modify and use in your projects.

No vulnerabilities found.

No security vulnerabilities found.