How to Cross-Site Request Forgery Protection (CSRF) on Sails.js 0.10


Posts about Sails.js 0.10


Team's Sails explain on csrf.js file, very good what's the meaning and the achieve of using CSRF on our project.

When enabled, all non-GET requests to the Sails server must be accompanied by a special token, identified as the '_csrf' parameter.

This option protects your Sails app against cross-site request forgery (or CSRF) attacks.

A would-be attacker needs not only a user's session cookie, but also this timestamped, secret CSRF token, which is refreshed/granted when the user visits a URL on your app's domain.

To activate we just have to change the value on config/csrf.js to true.

And to use it we just have to send it on every request we'll made to our server, for example adding this hidden field on every POST form request:

<form action="/user/create" method="POST" class="form-signin">
...
    <input type="hidden" name="_csrf" value="<%= _csrf %>" />
</form>

If you need more info about how to use Cross-Site Request Forgery Protection just check the file csrf.js they explain as weel how to use it in our AJAX request.