@groovy.transform.CompileStatic class CSRFHandler extends java.lang.Object
This handler adds a CSRF token to requests which mutate state. In order change the state a (XSRF-TOKEN) cookie is set with a unique token, that is expected to be sent back in a (X-XSRF-TOKEN) header. The behavior is to check the request body header and cookie for validity. This Handler requires session support, thus should be added somewhere below Session and Body handlers.
Constructor and description |
---|
CSRFHandler
(java.lang.Object delegate) |
Type | Name and description |
---|---|
static CSRFHandler |
create(java.lang.String secret) Instantiate a new CSRFHandlerImpl with a secret |
java.lang.Object |
getDelegate() |
void |
handle(RoutingContext arg0) |
CSRFHandler |
setCookieName(java.lang.String name) Set the cookie name. |
CSRFHandler |
setHeaderName(java.lang.String name) Set the header name. |
CSRFHandler |
setNagHttps(boolean nag) Should the handler give warning messages if this handler is used in other than https protocols? |
CSRFHandler |
setTimeout(long timeout) Set the timeout for tokens generated by the handler, by default it uses the default from the session handler. |
Methods inherited from class | Name |
---|---|
class java.lang.Object |
java.lang.Object#wait(long, int), java.lang.Object#wait(long), java.lang.Object#wait(), java.lang.Object#equals(java.lang.Object), java.lang.Object#toString(), java.lang.Object#hashCode(), java.lang.Object#getClass(), java.lang.Object#notify(), java.lang.Object#notifyAll() |
Instantiate a new CSRFHandlerImpl with a secret
CSRFHandler.create("s3cr37")
secret
- server secret to sign the token.Set the cookie name. By default XSRF-TOKEN is used as it is the expected name by AngularJS however other frameworks might use other names.
name
- a new name for the cookie.Set the header name. By default X-XSRF-TOKEN is used as it is the expected name by AngularJS however other frameworks might use other names.
name
- a new name for the header.Should the handler give warning messages if this handler is used in other than https protocols?
nag
- true to nagSet the timeout for tokens generated by the handler, by default it uses the default from the session handler.
timeout
- token timeout