From soundcheck
Detects CSRF vulnerabilities in HTML forms, session cookies, and middleware for Django, Flask, Express, Spring Boot, Go, and Rust web apps. Provides framework-specific fixes and verification steps.
npx claudepluginhub thejefflarson/soundcheck --plugin soundcheckThis skill uses the workspace's default tool permissions.
Protects against cross-site request forgery, where an attacker tricks an authenticated
Validates CSRF protections in web apps: inventories state-changing endpoints, audits synchronizer tokens, double-submit cookies, SameSite, Origin/Referer headers for gaps.
Implements CSRF protection using synchronizer tokens, double-submit cookies, and SameSite attributes. Secures web forms, state-changing endpoints, and authentication layers.
Implements CSRF protection using synchronizer tokens, double-submit cookies, SameSite attributes, and origin validation for forms and state-changing operations in Node.js/Express and Flask.
Share bugs, ideas, or general feedback.
Protects against cross-site request forgery, where an attacker tricks an authenticated user's browser into submitting a state-changing request the user did not intend. Exploitation leads to unauthorized fund transfers, account takeover, or privilege escalation.
<form method="POST" action="/transfer"> — form with no CSRF token hidden field@csrf_exempt / csrf().disable() — framework CSRF protection explicitly disabledSet-Cookie: session=abc123 — session cookie without SameSite=Strict or SameSite=Laxcsurf or csrf-csrf middleware registeredFor each vulnerable call site, apply the appropriate control:
@csrf_exempt, ensure django.middleware.csrf.CsrfViewMiddleware
is in MIDDLEWARE, include {% csrf_token %} in every POST formflask-wtf with CSRFProtect(app), include {{ form.hidden_tag() }}
or <input type="hidden" name="csrf_token" value="{{ csrf_token() }}">csrf-csrf or csurf middleware, pass token to templates via
res.locals, include <input type="hidden" name="_csrf" value="{{csrfToken}}">http.csrf().disable() / http.csrf(csrf -> csrf.disable()),
include <input type="hidden" name="${_csrf.parameterName}" value="${_csrf.token}"/>
in Thymeleaf forms or use th:action (auto-includes token)gorilla/csrf or justinas/nosurf middleware, inject token via
csrf.TemplateField(r) in templatesactix-csrf middleware, validate a token from a hidden
form field against the session-bound valueSameSite=Lax (minimum) or SameSite=Strict on session
cookies; add Secure and HttpOnly flagsSecure pattern (Django):
# views.py — no @csrf_exempt, middleware enabled
from django.shortcuts import render
def transfer(request):
if request.method == "POST":
# token validated automatically by CsrfViewMiddleware
process_transfer(request.POST["amount"], request.POST["to"])
return redirect("/done")
return render(request, "transfer.html") # template has {% csrf_token %}
Why this works: The server generates a per-session (or per-request) token that an attacker's cross-origin page cannot read. The middleware rejects any POST missing or mismatching the token.
Confirm the following properties hold (language-agnostic):
@csrf_exempt, csrf().disable(), csrf: false)SameSite=Lax or SameSite=Strict attribute