CSRF protection middleware for Actix Web applications. Supports double submit cookie and synchronizer token patterns (with actix-session) out of the box. Flexible, easy to configure, and includes test coverage for common attacks and edge cases.
WARNING: This crate has not been audited and may contain bugs and security flaws. This implementation is NOT ready for production use.
- Store CSRF tokens as:
- Stateless double submit cookie
- Synchronizer token in persistent storage via
actix-session
- Implemented following
the OWASP CSRF Prevention Cheat Sheet
- CSRF token is a 256-bit cryptographically secure random value
- For the double submit cookie pattern, hashes the session/pre-session ID with the CSRF token using HMAC-SHA256
- Compares tokens in constant time to prevent timing attacks
- Protect unauthorized routes with signed, stateless pre-sessions (cookie is always HttpOnly=true, Secure=true, SameSite=Strict)
- Automatically extract and verify tokens from:
application/jsonapplication/x-www-form-urlencoded
- Configurable cookie, header, and form field names
- Optional Origin/Referer enforcement for mutating requests (configurable)
- Helpers for manually extracting and validating CSRF tokens at the handler level are useful for processing
multipart/form-datarequests without expensive body reading in middleware - Enabled by default for all mutating (
POST,PUT,PATCH,DELETE) http requests; supports per-path CSRF exclusion viaskip_for.
Minimal runnable examples are provided in the examples directory:
- Double Submit Cookie: examples/double-submit-cookie
- Synchronizer Token (requires
actix-session): examples/synchronizer-token - Rotation After Auth (Double Submit Cookie + RequestExt rotate): examples/rotation-after-auth
This project is licensed under the MIT License. See LICENSE for details.