This package adds a csrf header to AJAX requests done via jQuery.
In the following situations no header is set:
- Cross Domain requests.
- Requests with type
GET,HEAD,OPTIONS, orTRACE.
Laravel uses the X-CSRF-TOKEN header to check for a CSRF token. Django uses X-CSRFToken. This package defaults to X-CSRF-TOKEN for the header key, but you can change this using the config settings.
It's only dependency is on jQuery.
Installation:
$ npm install jquery-csrf-token --save
var csrfToken = require('jquery-csrf-token');
csrfToken.enable('my-beautiful-csrf-token', config);
csrfToken.setToken('updated-csrf-token');| Name | Default | Description |
|---|---|---|
| key | X-CSRF-TOKEN | The key under which the csrf token should be send. Use X-CSRFTOKEN for Django. |
| retry | false | Allow to get a new token if the current one is expired |
To be able to get a new token if the current one expired you need to pass a retry object for the config with two keys:
url: URL to request the new tokenparseResponse: A function that takes the token request response as a parameter and return the new tokenisCSRFFailure(optional): A function that takes the failed request response as a parameter and return true if it's a CSRF failure. By default it just retry on every 403.
Example:
csrfToken.enable(data.csrf_token, {
key: 'X-CSRFTOKEN',
retry: {
url: 'api/bootstrap/',
parseResponse: resp => resp.csrf_token,
isCSRFFailure: resp => resp.statusCode === 403 && resp.responseJSON.message === 'CSRFFailure',
},
});
- make sure custom functions are also inherited.
- add option to retry if token is invalid
- use rollup build system
- Changed api to support changing the csrf token.