Only Applies to Joystick Versions Up To 1.0.0-rc.1
Prior to Joystick v1.0.0-rc.2, CSRF protection required database-based sessions. This is now managed 100% via cookies and does not require a database.
Cross-Site Request Forgery (CSRF) attacks involve an attacker creating a fake URL that points to your domain and sending it to your users. When a logged-in user clicks that link, actions will proceed as if the user originated them (e.g., calling a setter with malicious parameters).
To enable CSRF protection in your Joystick app, set the config.sessions.secret in your settings.<env>.json file to a difficult to guess string.
To generate a secret, we recommend using the following command in your terminal:
Terminal
node -e "console.log(require('crypto').randomBytes(32).toString('hex'))"This will generate a secure 32-bit hex string (64 characters). Keep in mind: this value should NOT be stored in an unsafe location. Copy it to your settings.<env>.json file and/or into a password manager.
Once you have your secret, update your settings.<env>.json file:
/settings.development.json
{
"config": {
"sessions": {
"secret": "<Paste your generated secret here...>"
},
...
},
"global": {},
"public": {},
"private": {}
}Once added, Joystick will detect it and automatically create a session cookie (HTTP-only, inaccessible from the browser) that the server can validate alongside API requests (getters and setters).
When you call getters or setters, Joystick automatically validates the CSRF token included in the session cookie. If it's a match, the request proceeds; if not, the request receives a 403 Forbidden error.
Query params sanitized
To protect against scripts being executed via query params, Joystick automatically sanitizes HTML tags from query params passed in your app's URL. This prevents any vulnerability with the above approach, making it impossible for an attacker to read the csrf token Joystick injects into the page.