nestjs csrf
https://gitissue.com/repos/jiayisheji/blog pass csrf https://github.com/expressjs/csurf/issues/21 main.ts import { NestFactory } from '@nestjs/core'; import { NestExpressApplication } from '@nestjs/platform-express'; import { join } from 'path' import { AppModule } from './app.module'; import * as cookieSession from 'cookie-session'; import * as helmet from 'helmet'; import * as cookieParser from 'cookie-parser'; import * as csurf from 'csurf'; import * as rateLimit from 'express-rate-limit'; async function bootstrap() { const app = await NestFactory.create( AppModule, ); app.init() app.useStaticAssets(join(__dirname, '..', 'public')); app.setBaseViewsDir(join(__dirname, '..', 'views')); app.setViewEngine('pug'); app.set('trust proxy', 1); app.use(cookieSession({ name: 'session', keys: ['key1', 'key2'] })); //app.enableCors(); app.use(helmet()); app.use(cookieParser()); //app.use(csurf({ cookie: true })); //正常是這行,但有些API POST時需要略過csrf app.use(function (req, res, next) { var mw = csurf({ cookie: true }); // console.log(req.url) // check real get url if (req.url === '/testpostcsrf') return next(); //pass csrf check mw(req, res, next); }); app.use( rateLimit({ windowMs: 15 * 60 * 1000, // 15 minutes max: 100, // limit each IP to 100 requests per windowMs }), ); await app.listen(3000); } bootstrap(); layout.pug doctype html html head title= title meta(content= csrfToken, name='csrf-token') body block content login.pug extends layout block content h1 Please log in if error p. #{error} form(action="/login",method="POST") input(type="hidden",name="_csrf",value=csrfToken) input(type="hidden",name="challenge",value=challenge) table(style="") tr td input(type="email",id="email",name="email",placeholder="email@foobar.com") td. (Example: "foo@bar.com") tr td input(type="password",id="password",name="password") td. (Example: "foobar") input(type="checkbox",id="remember",name="remember",value="1") label(for="remember") Remember me br input(type="submit",id="accept",value="Log in")