Popularity
7.8
Stable
Activity
2.5
Growing
1,632
41
127

Programming language: Go
License: MIT License
Tags: Forms    
Latest version: v1.1.0

nosurf alternatives and similar packages

Based on the "Forms" category.
Alternatively, view nosurf alternatives based on common mentions on social networks and blogs.

  • gorilla/csrf

    7.4 1.1 nosurf VS gorilla/csrf
    DISCONTINUED. gorilla/csrf provides Cross Site Request Forgery (CSRF) prevention middleware for Go web applications & services 🔒

  • binding

    7.3 0.0 nosurf VS binding
    DISCONTINUED. Reflectionless data binding for Go's net/http (not actively maintained)

    • InfluxDB 3 OSS is now GA. Transform, enrich, and act on time series data directly in the database. Automate critical tasks and eliminate the need to move data externally. Download now.
    Promo www.influxdata.com
    InfluxDB Logo

  • form

    6.9 4.3 nosurf VS form
    :steam_locomotive: Decodes url.Values into Go value(s) and Encodes Go value(s) into url.Values. Dual Array and Full map support.

  • conform

    5.7 0.0 nosurf VS conform
    Trims, sanitizes & scrubs data based on struct tags (go, golang)

  • httpin

    5.7 3.9 nosurf VS httpin
    🍡 HTTP Input for Go - HTTP Request from/to Go Struct (Bi-directional Data Binding between Go Struct and http.Request)

  • formam

    5.0 0.0 nosurf VS formam
    a package for decode form's values into struct in Go

  • forms

    4.8 0.0 nosurf VS forms
    A lightweight go library for parsing form data or json from an http.Request.

  • qs

    3.4 4.3 nosurf VS qs
    Go module for encoding structs into URL query parameters

  • bind

    2.4 0.0 nosurf VS bind
    Bind form data to any Go values

  • checker

    2.1 8.4 nosurf VS checker
    Effortless input validation in Go with the power of struct tags. No dependencies, just pure simplicity. ✨ See how! 👀

  • queryparam

    1.9 0.0 nosurf VS queryparam
    Go package to easily convert a URL's query parameters/values into usable struct values of the correct types.

  • gbind

    0.8 6.1 nosurf VS gbind
    Bind data to any Go value. Can use built-in and custom expression binding capabilities; supports data validation logic for Go values. // 将数据绑定到任何 Go 值。可使用内置和自定义表达式绑定能力;支持对Go值的数据校验逻辑.

Do you think we are missing an alternative of nosurf or a related project?

Add another 'Forms' Package
SaaSHub - Software Alternatives and Reviews
featured www.saashub.com

Popular Comparisons

README

nosurf

Build Status GoDoc

nosurf is an HTTP package for Go that helps you prevent Cross-Site Request Forgery attacks. It acts like a middleware and therefore is compatible with basically any Go HTTP application.

Why?

Even though CSRF is a prominent vulnerability, Go's web-related package infrastructure mostly consists of micro-frameworks that neither do implement CSRF checks, nor should they.

nosurf solves this problem by providing a CSRFHandler that wraps your http.Handler and checks for CSRF attacks on every non-safe (non-GET/HEAD/OPTIONS/TRACE) method.

nosurf requires Go 1.1 or later.

Features

  • Supports any http.Handler (frameworks, your own handlers, etc.) and acts like one itself.
  • Allows exempting specific endpoints from CSRF checks by an exact URL, a glob, or a regular expression.
  • Allows specifying your own failure handler. Want to present the hacker with an ASCII middle finger instead of the plain old HTTP 400? No problem.
  • Uses masked tokens to mitigate the BREACH attack.
  • Has no dependencies outside the Go standard library.

Example

package main

import (
    "fmt"
    "github.com/justinas/nosurf"
    "html/template"
    "net/http"
)

var templateString string = `
<!doctype html>
<html>
<body>
{{ if .name }}
<p>Your name: {{ .name }}</p>
{{ end }}
<form action="/" method="POST">
<input type="text" name="name">

<!-- Try removing this or changing its value
     and see what happens -->
<input type="hidden" name="csrf_token" value="{{ .token }}">
<input type="submit" value="Send">
</form>
</body>
</html>
`
var templ = template.Must(template.New("t1").Parse(templateString))

func myFunc(w http.ResponseWriter, r *http.Request) {
    context := make(map[string]string)
    context["token"] = nosurf.Token(r)
    if r.Method == "POST" {
        context["name"] = r.FormValue("name")
    }

    templ.Execute(w, context)
}

func main() {
    myHandler := http.HandlerFunc(myFunc)
    fmt.Println("Listening on http://127.0.0.1:8000/")
    http.ListenAndServe(":8000", nosurf.New(myHandler))
}

Manual token verification

In some cases the CSRF token may be send through a non standard way, e.g. a body or request is a JSON encoded message with one of the fields being a token.

In such case the handler(path) should be excluded from an automatic verification by using one of the exemption methods:

    func (h *CSRFHandler) ExemptFunc(fn func(r *http.Request) bool)
    func (h *CSRFHandler) ExemptGlob(pattern string)
    func (h *CSRFHandler) ExemptGlobs(patterns ...string)
    func (h *CSRFHandler) ExemptPath(path string)
    func (h *CSRFHandler) ExemptPaths(paths ...string)
    func (h *CSRFHandler) ExemptRegexp(re interface{})
    func (h *CSRFHandler) ExemptRegexps(res ...interface{})

Later on, the token must be verified by manually getting the token from the cookie and providing the token sent in body through: VerifyToken(tkn, tkn2 string) bool.

Example:

func HandleJson(w http.ResponseWriter, r *http.Request) {
    d := struct{
        X,Y int
        Tkn string
    }{}
    json.Unmarshal(ioutil.ReadAll(r.Body), &d)
    if !nosurf.VerifyToken(nosurf.Token(r), d.Tkn) {
        http.Errorf(w, "CSRF token incorrect", http.StatusBadRequest)
        return
    }
    // do smth cool
}

Contributing

  1. Find an issue that bugs you / open a new one.
  2. Discuss.
  3. Branch off, commit, test.
  4. Make a pull request / attach the commits to the issue.