class Marten::Conf::GlobalSettings::CSRF

Overview

Defines configuration options related to Cross Site Request Forgery protection.

Defined in:

marten/conf/global_settings/csrf.cr

Instance Method Summary

Instance Method Detail

def cookie_domain : String? #

Returns the domain to use when setting the CSRF cookie.


[View source]
def cookie_domain=(cookie_domain : Nil | String) #

Allows to set the domain to use when setting the CSRF cookie.


[View source]
def cookie_http_only : Bool #

Returns a boolean indicating whether client-side scripts should have access to the CSRF token cookie.


[View source]
def cookie_http_only=(cookie_http_only : Bool) #

Allows to set whether client-side scripts should have access to the CSRF token cookie.


[View source]
def cookie_max_age : Int32 #

Returns the max age (in seconds) of the CSRF cookie.

By default, CSRF cookie max age is set to 31556952 (approximatively one year).


[View source]
def cookie_max_age=(cookie_max_age : Int32) #

Allows to set the max age (in seconds) of the CSRF cookie.


[View source]
def cookie_name : String #

Returns the name of the cookie to use for the CSRF token (defaults to "csrftoken").


[View source]
def cookie_name=(name : String | Symbol) #

Allows to set the name of the cookie to use for the CSRF token.


[View source]
def cookie_same_site : String #

Returns the value of the SameSite flag to use for the CSRF cookie (defaults to "Lax").


[View source]
def cookie_same_site=(cookie_same_site : String) #

Allows to set the value of the SameSite flag to use for the CSRF cookie.


[View source]
def cookie_secure : Bool #

Returns a boolean indicating whether to use a secure cookie for the CSRF cookie.


[View source]
def cookie_secure=(cookie_secure : Bool) #

Allows to set whether secure cookies should be used for CSRF cookies.


[View source]
def protection_enabled : Bool #

Returns a boolean indicating if CSRF protection is enabled globally (defaults to true).


[View source]
def protection_enabled=(protection_enabled : Bool) #

Allows to set whether or not CSRF protection is enabled globally.


[View source]
def session_key : String #

Returns the session key to use for the CSRF token (defaults to "csrftoken").


[View source]
def session_key=(name : String | Symbol) #

Allows to set session key to use for the CSRF token.


[View source]
def trusted_origins : Array(String) #

Returns the array of CSRF-trusted origins.


[View source]
def trusted_origins=(origins : Array(String)) #

Allows to define an array of trusted origins.

These origins will be trusted for CSRF-protected requests (such as POST requests) and they will be used to check either the Origin or the Referer header depending on the request scheme. This is done to ensure that a specific subdomain such as sub1.example.com cannot issue a POST request to sub2.example.com. In order to enable CSRF-protected requests over different origins, it's possible to add trusted origins to this array. For example https://sub1.example.com can be configured as a trusted domain that way, but it's possible to allow CSRF-protected requests for all the subdomains of a specific domain by using https://*.example.com.


[View source]
def use_session : Bool #

Returns a boolean indicating if the CSRF token is stored inside the session.


[View source]
def use_session=(use_session : Bool) #

Allows to set whether or not the CSRF token should be stored inside the session.


[View source]