Configuration for Sails' built-in CSRF protection middleware. These options are conventionally set in the
config/csrf.js configuration file. See the docs on Cross-Site Request Forgery in the security section for detailed usage instructions.
This option protects your Sails app against cross-site request forgery (or CSRF) attacks. A would-be attacker needs not only a user's session cookie, but also this timestamped, secret CSRF token, which is refreshed/granted when the user visits a URL on your app's domain.
This allows you to have certainty that your users' requests haven't been hijacked, and that the requests they're making are intentional and legitimate.
||false||CSRF protection is disabled by default to facilitate development. To turn it on, just set
||true||Whether to activate the /csrfToken route, which will return the current CSRF token value which can then be used in AJAX requests.|
||''||Comma-delimited list of origins that are allowed to access the CSRF token via the /csrfToken shadow route. This is separate from the other CORS settings, which do not apply to /csrfToken.|
||''||Comma-delimited list of routes where CSRF protection is disabled.|
Is something missing?
If you notice something we've missed or could be improved on, please follow this link and submit a pull request to the sails-docs repo. Once we merge it, the changes will be reflected on the website the next time it is deployed.
- Blueprint API
- Command Line Interface
- Response (`res`)
- Waterline (ORM)
- Resourceful PubSub
- Socket Client
We wrote a book!
Get early access to the book
with promotion code: mcneildoc