NAME

Amon2::Plugin::Web::CSRFDefender - Anti CSRF filter

SYNOPSIS

    package MyApp::Web;
    use Amon2::Web;
    __PACKAGE__->load_plugin('Web::CSRFDefender');

This plugin denies CSRF request.

Do not use this with HTTP::Session2. Because HTTP::Session2 has XSRF token management function by itself.

$c->get_csrf_defender_token(): Get a CSRF defender token. This method is useful to add token for AJAX request.
$c->validate_csrf(): You can validate CSRF token manually.

no_validate_hook: Do not run validation automatically.
no_html_filter: Disable HTML rewriting filter. By default, CSRFDefender inserts XSRF token for each form element.
It's very useful but it hits performance issue if your site is very high traffic.
csrf_token_generator: You can change the csrf token generation algorithm.

This library is free software; you can redistribute it and/or modify it under the same terms as Perl itself.

Tokuhiro Matsuno <tokuhirom@gmail.com>

Kazuho Oku and mala for security advice.