Use csrf only for defined routes in restify

Question

I have restify application (simple API). We use csurf library for preventing CSRF requests.

But I need don't use CSRF validation on several routes.

First idea, which I think - this create array with routes for which I don't need use csrf and validate current route.

var routesNoCSRF = ['/api/route1', '/api/route2'];
if (routesNoCSRF.indexOf(currentRoute) === -1) {
  server.use(csrf({
    cookie: true,
    ignoreMethods: ['HEAD', 'OPTIONS']
  }));
}

But on this step I didn't have access to currentRoute

Second - this divide one API to 2 different APis - and for first use csrf validation for second - not. In this case - we create 2 different servers, which listen 2 different ports.

But i would to do this with using only one app. Is it possible ?

Did you already get this figured out? – HeadCode Oct 06 '15 at 03:13 — HeadCode, Oct 06 '15 at 03:13

score 1 · Accepted Answer · answered Oct 06 '15 at 03:16

1

There is a complete example for ignoring routes on the csurf github page.

https://github.com/expressjs/csurf

answered Oct 06 '15 at 03:16

HeadCode

2,770
1
14
26

Thank you for answer, we have a lot of routes and we require routes automatically (all files from folder). For this case - we can use 2 folders for routes - one (for which we don't need csrf) and second - for which we need csrf verifying. But now we decided another solution - use 2 folders with routes, 2 node servers and use ENV_VARIABLE for detecting should we use csrf or not (in app.js). – yAnTar Oct 06 '15 at 14:48

Use csrf only for defined routes in restify

1 Answers1