View our GitHub

Please visit sails-docs on GitHub to view documentation on your mobile device.

Edit Page


Configuration for Sails' built-in CSRF protection middleware. These options are conventionally set in the config/csrf.js configuration file. See the docs on Cross-Site Request Forgery in the security section for detailed usage instructions.

This option protects your Sails app against cross-site request forgery (or CSRF) attacks. A would-be attacker needs not only a user's session cookie, but also this timestamped, secret CSRF token, which is refreshed/granted when the user visits a URL on your app's domain.

This allows you to have certainty that your users' requests haven't been hijacked, and that the requests they're making are intentional and legitimate.


Property Type Default Details
csrf or false CSRF protection is disabled by default to facilitate development. To turn it on, just set sails.config.csrf to true, or for more flexibility, specify a dictionary with any of the properties described below.
csrf.grantTokenViaAjax true Whether to activate the /csrfToken route, which will return the current CSRF token value which can then be used in AJAX requests.
csrf.origin '' Comma-delimited list of origins that are allowed to access the CSRF token via the /csrfToken shadow route. This is separate from the other CORS settings, which do not apply to /csrfToken.
csrf.routesDisabled '' Comma-delimited list of routes where CSRF protection is disabled.

Is something missing?

If you notice something we've missed or could be improved on, please follow this link and submit a pull request to the sails-docs repo. Once we merge it, the changes will be reflected on the website the next time it is deployed.


We wrote a book!

Get early access to the book
with promotion code: mcneildoc

Get the Book