csurf

csurf is an Express middleware for CSRF (Cross-Site Request Forgery) protection that generates and validates tokens to prevent malicious websites from submitting unauthorized requests on behalf of authenticated users. CSRF attacks exploit the fact that browsers automatically include cookies with requests to a domain, allowing a malicious page to submit a form or API request that the server cannot distinguish from a legitimate request. csurf generates a unique token for each session or request that must be included in form submissions or API requests — since the attacker's page cannot read this token, forged requests will be rejected. The middleware supports both cookie-based and session-based token storage, with the token accessible through req.csrfToken() for embedding in forms or headers. csurf validates the token from request body (_csrf field), query string, or headers (CSRF-Token, XSRF-TOKEN, X-CSRF-Token, X-XSRF-Token). While csurf has been deprecated with a recommendation to use alternative CSRF protection approaches (especially for SPAs using bearer tokens), it remains widely used in traditional server-rendered Express applications with form-based interactions where cookie-based session authentication is used.