Skill

csrf-protection

Implements CSRF protection using synchronizer tokens, double-submit cookies, and SameSite attributes. Secures web forms, state-changing endpoints, and authentication layers.

JavaScript

npx claudepluginhub secondsky/claude-skills --plugin csrf-protection

Popularity

Parent stars

149

Parent forks

Invocation

How this skill is triggered — by the user, by Claude, or both

Slash command

/csrf-protection:csrf-protection

User invocable

Model invocable

Inline context

Default effort

Context Preview

The summary Claude sees in its skill listing — used to decide when to auto-load this skill

Defend against Cross-Site Request Forgery attacks using multiple protection layers.

Supporting Files

references/python-react.md

SKILL.md

94 lines · ~584 tokens

Similar Skills

OWASP CSRF Protection

Prevents CSRF attacks by validating request origin and using unpredictable tokens for state-changing operations. Covers SameSite cookies, sync token pattern, double-submit cookie pattern, and origin header validation.

1 file

harness-claude

prevent-csrf

Protects state-changing endpoints (POST, PUT, PATCH, DELETE) from cross-site request forgery using synchronizer tokens, SameSite cookies, or origin verification.

grimoire

csrf

Detects missing CSRF protection in forms, state-changing endpoints, and session cookie config. Use when writing HTML forms, setting CSRF middleware, or disabling framework protections.

soundcheck

Stats

LanguageTypeScript

Parent stars149

Parent forks23

MaintenanceGood

Last CommitApr 2, 2026

Actions

View Source View Plugin View on GitHub View README

Help us improve

Share bugs, ideas, or general feedback.

Stats

Actions

Help us improve

Share bugs, ideas, or general feedback.

CSRF Protection

Defend against Cross-Site Request Forgery attacks using multiple protection layers.

Protection Methods

Method

How It Works

Browser Support

Synchronizer Token

Hidden form field validated server-side

All

Double Submit

Cookie + header must match

All

SameSite Cookie

Browser blocks cross-origin requests

Modern

Token-Based Protection (Express)

SameSite Cookies

app.use(session({ cookie: { httpOnly: true, secure: true, sameSite: 'strict', // or 'lax' maxAge: 3600000 } }));

HTML Form Integration

<form method="POST" action="/transfer"> <input type="hidden" name="_csrf" value="<%= csrfToken %>"> <button type="submit">Submit</button> </form>

Best Practices

Apply to all state-changing requests (POST, PUT, DELETE)

Use SameSite=Strict for sensitive cookies

Validate Origin/Referer headers

Never use GET for modifications

Implement token expiration (1 hour typical)

Combine multiple defense layers

Additional Implementations

Flask-WTF complete CSRF setup

React hooks for CSRF token management

Double submit cookie pattern

Common Mistakes

Assuming authentication prevents CSRF

Reusing tokens across sessions

Storing tokens in localStorage

Missing token expiration

CSRF Protection

Defend against Cross-Site Request Forgery attacks using multiple protection layers.

Protection Methods

Method	How It Works	Browser Support
Synchronizer Token	Hidden form field validated server-side	All
Double Submit	Cookie + header must match	All
SameSite Cookie	Browser blocks cross-origin requests	Modern

Token-Based Protection (Express)

const crypto = require('crypto');

function generateToken() {
  return crypto.randomBytes(32).toString('hex');
}

// Middleware
app.use((req, res, next) => {
  if (!req.session.csrfToken) {
    req.session.csrfToken = generateToken();
  }
  res.locals.csrfToken = req.session.csrfToken;
  next();
});

// Validation
app.post('*', (req, res, next) => {
  const token = req.body._csrf || req.headers['x-csrf-token'];
  if (!token || !crypto.timingSafeEqual(
    Buffer.from(token),
    Buffer.from(req.session.csrfToken)
  )) {
    return res.status(403).json({ error: 'Invalid CSRF token' });
  }
  next();
});

SameSite Cookies

app.use(session({
  cookie: {
    httpOnly: true,
    secure: true,
    sameSite: 'strict', // or 'lax'
    maxAge: 3600000
  }
}));

HTML Form Integration

<form method="POST" action="/transfer">
  <input type="hidden" name="_csrf" value="<%= csrfToken %>">
  <button type="submit">Submit</button>
</form>

Best Practices

Apply to all state-changing requests (POST, PUT, DELETE)
Use SameSite=Strict for sensitive cookies
Validate Origin/Referer headers
Never use GET for modifications
Implement token expiration (1 hour typical)
Combine multiple defense layers

Additional Implementations

See references/python-react.md for:

Flask-WTF complete CSRF setup
React hooks for CSRF token management
Double submit cookie pattern

Common Mistakes

Assuming authentication prevents CSRF
Reusing tokens across sessions
Storing tokens in localStorage
Missing token expiration

csrf-protection

Popularity

Invocation

Context Preview

Supporting Files

SKILL.md

Similar Skills

Help us improve

Help us improve

Find plugins for your project

csrf-protection

Popularity

Invocation

Context Preview

Supporting Files

SKILL.md

CSRF Protection

Protection Methods

Token-Based Protection (Express)

SameSite Cookies

HTML Form Integration

Best Practices

Additional Implementations

Common Mistakes

Similar Skills

Help us improve

CSRF Protection

Protection Methods

Token-Based Protection (Express)

SameSite Cookies

HTML Form Integration

Best Practices

Additional Implementations

Common Mistakes