@groovy.transform.CompileStatic class CSRFHandler extends java.lang.Object
This handler adds a CSRF token to requests which mutate state. In order change the state a (XSRF-TOKEN) cookie is set with a unique token, that is expected to be sent back in a (X-XSRF-TOKEN) header. The behavior is to check the request body header and cookie for validity. This Handler requires session support, thus should be added somewhere below Session and Body handlers.
| Constructor and description |
|---|
CSRFHandler
(java.lang.Object delegate) |
| Type | Name and description |
|---|---|
static CSRFHandler |
create(java.lang.String secret)Instantiate a new CSRFHandlerImpl with a secret |
java.lang.Object |
getDelegate() |
void |
handle(RoutingContext arg0) |
CSRFHandler |
setCookieName(java.lang.String name)Set the cookie name. |
CSRFHandler |
setHeaderName(java.lang.String name)Set the header name. |
CSRFHandler |
setNagHttps(boolean nag)Should the handler give warning messages if this handler is used in other than https protocols? |
CSRFHandler |
setTimeout(long timeout)Set the timeout for tokens generated by the handler, by default it uses the default from the session handler. |
| Methods inherited from class | Name |
|---|---|
class java.lang.Object |
java.lang.Object#wait(long, int), java.lang.Object#wait(long), java.lang.Object#wait(), java.lang.Object#equals(java.lang.Object), java.lang.Object#toString(), java.lang.Object#hashCode(), java.lang.Object#getClass(), java.lang.Object#notify(), java.lang.Object#notifyAll() |
Instantiate a new CSRFHandlerImpl with a secret
CSRFHandler.create("s3cr37")
secret - server secret to sign the token.Set the cookie name. By default XSRF-TOKEN is used as it is the expected name by AngularJS however other frameworks might use other names.
name - a new name for the cookie.Set the header name. By default X-XSRF-TOKEN is used as it is the expected name by AngularJS however other frameworks might use other names.
name - a new name for the header.Should the handler give warning messages if this handler is used in other than https protocols?
nag - true to nagSet the timeout for tokens generated by the handler, by default it uses the default from the session handler.
timeout - token timeout