Struct actix_web::middleware::csrf::CsrfFilterBuilder

pub struct CsrfFilterBuilder { /* fields omitted */ }

Used to build a CsrfFilter.

To construct a CSRF filter:

1. Call CsrfFilter::build to start building.
2. Add allowed origins.
3. Call finish to retrieve the constructed filter.

Example

use actix_web::middleware::csrf;

let csrf = csrf::CsrfFilter::build()
    .allowed_origin("https://www.example.com")
    .finish();

Methods

impl CsrfFilterBuilder

fn allowed_origin(self, origin: &str) -> CsrfFilterBuilder

Add an origin that is allowed to make requests. Will be verified against the Origin request header.

fn allow_xhr(self) -> CsrfFilterBuilder

Allow all requests with an X-Requested-With header.

A cross-site attacker should not be able to send requests with custom headers unless a CORS policy whitelists them. Therefore it should be safe to allow requests with an X-Requested-With header (added automatically by many JavaScript libraries).

This is disabled by default, because in Safari it is possible to circumvent this using redirects and Flash.

Use this method to enable more lax filtering.

fn allow_missing_origin(self) -> CsrfFilterBuilder

Allow requests if the expected Origin header is missing (and there is no Referer to fall back on).

The filter is conservative by default, but it should be safe to allow missing Origin headers because a cross-site attacker cannot prevent the browser from sending Origin on unsafe requests.

fn finish(self) -> CsrfFilter

Finishes building the CsrfFilter instance.