Programming language: Go
License: MIT License
Tags: Forms    
Latest version: v1.1.0

nosurf alternatives and similar packages

Based on the "Forms" category.
Alternatively, view nosurf alternatives based on common mentions on social networks and blogs.

  • gorilla/csrf

    DISCONTINUED. gorilla/csrf provides Cross Site Request Forgery (CSRF) prevention middleware for Go web applications & services 🔒
  • binding

    DISCONTINUED. Reflectionless data binding for Go's net/http (not actively maintained)
  • Get real-time insights from all types of time series data with InfluxDB. Ingest, query, and analyze billions of data points in real-time with unbounded cardinality.
    Promo www.influxdata.com
    InfluxDB Logo
  • form

    :steam_locomotive: Decodes url.Values into Go value(s) and Encodes Go value(s) into url.Values. Dual Array and Full map support.
  • conform

    Trims, sanitizes & scrubs data based on struct tags (go, golang)
  • httpin

    🍡 HTTP Input for Go - HTTP Request from/to Go Struct (Bi-directional Data Binding between Go Struct and http.Request)
  • formam

    a package for decode form's values into struct in Go
  • forms

    A lightweight go library for parsing form data or json from an http.Request.
  • qs

    Go module for encoding structs into URL query parameters
  • bind

    Bind form data to any Go values
  • queryparam

    Go package to easily convert a URL's query parameters/values into usable struct values of the correct types.
  • gbind

    Bind data to any Go value. Can use built-in and custom expression binding capabilities; supports data validation logic for Go values. // 将数据绑定到任何 Go 值。可使用内置和自定义表达式绑定能力;支持对Go值的数据校验逻辑.
  • checker

    Checker is a Go library for validating user input through checker rules provided in struct tags.

Do you think we are missing an alternative of nosurf or a related project?

Add another 'Forms' Package



Build Status GoDoc

nosurf is an HTTP package for Go that helps you prevent Cross-Site Request Forgery attacks. It acts like a middleware and therefore is compatible with basically any Go HTTP application.


Even though CSRF is a prominent vulnerability, Go's web-related package infrastructure mostly consists of micro-frameworks that neither do implement CSRF checks, nor should they.

nosurf solves this problem by providing a CSRFHandler that wraps your http.Handler and checks for CSRF attacks on every non-safe (non-GET/HEAD/OPTIONS/TRACE) method.

nosurf requires Go 1.1 or later.


  • Supports any http.Handler (frameworks, your own handlers, etc.) and acts like one itself.
  • Allows exempting specific endpoints from CSRF checks by an exact URL, a glob, or a regular expression.
  • Allows specifying your own failure handler. Want to present the hacker with an ASCII middle finger instead of the plain old HTTP 400? No problem.
  • Uses masked tokens to mitigate the BREACH attack.
  • Has no dependencies outside the Go standard library.


package main

import (

var templateString string = `
<!doctype html>
{{ if .name }}
<p>Your name: {{ .name }}</p>
{{ end }}
<form action="/" method="POST">
<input type="text" name="name">

<!-- Try removing this or changing its value
     and see what happens -->
<input type="hidden" name="csrf_token" value="{{ .token }}">
<input type="submit" value="Send">
var templ = template.Must(template.New("t1").Parse(templateString))

func myFunc(w http.ResponseWriter, r *http.Request) {
    context := make(map[string]string)
    context["token"] = nosurf.Token(r)
    if r.Method == "POST" {
        context["name"] = r.FormValue("name")

    templ.Execute(w, context)

func main() {
    myHandler := http.HandlerFunc(myFunc)
    fmt.Println("Listening on")
    http.ListenAndServe(":8000", nosurf.New(myHandler))

Manual token verification

In some cases the CSRF token may be send through a non standard way, e.g. a body or request is a JSON encoded message with one of the fields being a token.

In such case the handler(path) should be excluded from an automatic verification by using one of the exemption methods:

    func (h *CSRFHandler) ExemptFunc(fn func(r *http.Request) bool)
    func (h *CSRFHandler) ExemptGlob(pattern string)
    func (h *CSRFHandler) ExemptGlobs(patterns ...string)
    func (h *CSRFHandler) ExemptPath(path string)
    func (h *CSRFHandler) ExemptPaths(paths ...string)
    func (h *CSRFHandler) ExemptRegexp(re interface{})
    func (h *CSRFHandler) ExemptRegexps(res ...interface{})

Later on, the token must be verified by manually getting the token from the cookie and providing the token sent in body through: VerifyToken(tkn, tkn2 string) bool.


func HandleJson(w http.ResponseWriter, r *http.Request) {
    d := struct{
        X,Y int
        Tkn string
    json.Unmarshal(ioutil.ReadAll(r.Body), &d)
    if !nosurf.VerifyToken(nosurf.Token(r), d.Tkn) {
        http.Errorf(w, "CSRF token incorrect", http.StatusBadRequest)
    // do smth cool


  1. Find an issue that bugs you / open a new one.
  2. Discuss.
  3. Branch off, commit, test.
  4. Make a pull request / attach the commits to the issue.