[ANN] nosurf – an anti-CSRF tool for Go

[Justinas Stankevičius]

Hello,

I released a functional version of nosurf today. Nosurf is a HTTP "middleware" for Go that mitigates CSRF attacks. It leverages the standard http.Handler interface, so you can use it with almost any framework, router, etc.

As this is both my first Go library and the first time I'm dealing with code that does the actual protection from CSRF, some peer review would be appreciated. The library seems to be doing the job, but maybe there's an important feature it's missing? Or maybe I've missed a particular case, or left in a weird bug?

I'm looking forward to your feedback!

Regards,

Justinas

[AllenDang]

Nice! I will check it out.

[Coda Hale]

The token generation should really just use crypto/rand and io.ReadFull:

http://play.golang.org/p/Qont8Il8FX

CRSF tokens need to be unguessable, and math/rand is not designed to provide that.

(Re-sent to go-nuts as well.)

--
You received this message because you are subscribed to the Google Groups "golang-nuts" group.
To unsubscribe from this group and stop receiving emails from it, send an email to golang-nuts...@googlegroups.com.
For more options, visit https://groups.google.com/groups/opt_out.

--
Coda Hale
http://codahale.com

[silk...@gmail.com]

Thanks, I've been informed about this, just didn't create the issue. As this is a non-breaking change, I'll change it to only crypto/rand ASAP.