snap-extras-0.12.3.0: A collection of useful helpers and utilities for Snap web applications.

Safe HaskellNone
LanguageHaskell2010

Snap.Extras.CSRF

Synopsis

Documentation

csrfTokenSplice Source #

Arguments

:: Monad m 
=> m Text

A computation in the runtime monad that gets the CSRF protection token.

-> Splice m 

A splice that makes the CSRF token available to templates. Typically we use it by binding a splice and using the CSRF token provided by the session snaplet as follows:

("csrfToken", csrfTokenSplice $ with session csrfToken)

Where session is a lens to the session snaplet. Then you can make it available to javascript code by putting a meta tag at the top of every page like this:

<meta name="csrf-token" content="${csrfToken}">

secureForm Source #

Arguments

:: MonadIO m 
=> m Text

A computation in the runtime monad that gets the CSRF protection token.

-> Splice m 

Adds a hidden _csrf input field as the first child of the bound tag. For full site protection against CSRF, you should bind this splice to the form tag, and then make sure your app checks all POST requests for the presence of this CSRF token and that the token is randomly generated and secure on a per session basis.

blanketCSRF Source #

Arguments

:: SnapletLens v SessionManager

Lens to the session snaplet

-> Handler b v ()

Handler to run if the CSRF check fails

-> Handler b v ()

Handler to let through when successful.

-> Handler b v () 

Use this function to wrap your whole site with CSRF protection. Due to security considerations, the way Snap parses file uploads means that the CSRF token cannot be checked before the file uploads have been handled. This function protects your whole site except for handlers of multipart/form-data forms (forms with file uploads). To protect those handlers, you have to call handleCSRF explicitly after the file has been processed.

handleCSRF Source #

Arguments

:: SnapletLens v SessionManager

Lens to the session snaplet

-> Handler b v ()

Handler to run on failure

-> Handler b v ()

Handler to let through when successful.

-> Handler b v () 

If a request is a POST, check the CSRF token and fail with the specified handler if the check fails. If if the token is correct or if it's not a POST request, then control passes through as a no-op.

handleCSRF' Source #

Arguments

:: SnapletLens v SessionManager 
-> Handler b v ()

On failure

-> Handler b v () 

A version of handleCSRF that works as an imperative filter. It's a NOOP when successful, redirs to oblivion under failure.