csrf-protection

Implements CSRF protection using synchronizer tokens, double-submit cookies, and SameSite attributes. Use when securing web forms, protecting state-changing endpoints, or implementing defense-in-depth authentication.

Install with Tessl CLI

npx tessl i github:secondsky/claude-skills --skill csrf-protection

What are skills?

Overall
score

87%

Review — 86%

Does it follow best practices?

If you maintain this skill, you can automatically optimize it using the tessl CLI to improve its score:

npx tessl skill review --optimize ./path/to/skill

Learn more

Validation — 13 / 16 Passed

Validation for skill structure

SKILL.md

Review

Evals

CSRF Protection

Defend against Cross-Site Request Forgery attacks using multiple protection layers.

Protection Methods

Method	How It Works	Browser Support
Synchronizer Token	Hidden form field validated server-side	All
Double Submit	Cookie + header must match	All
SameSite Cookie	Browser blocks cross-origin requests	Modern

Token-Based Protection (Express)

const crypto = require('crypto');

function generateToken() {
  return crypto.randomBytes(32).toString('hex');
}

// Middleware
app.use((req, res, next) => {
  if (!req.session.csrfToken) {
    req.session.csrfToken = generateToken();
  }
  res.locals.csrfToken = req.session.csrfToken;
  next();
});

// Validation
app.post('*', (req, res, next) => {
  const token = req.body._csrf || req.headers['x-csrf-token'];
  if (!token || !crypto.timingSafeEqual(
    Buffer.from(token),
    Buffer.from(req.session.csrfToken)
  )) {
    return res.status(403).json({ error: 'Invalid CSRF token' });
  }
  next();
});

SameSite Cookies

app.use(session({
  cookie: {
    httpOnly: true,
    secure: true,
    sameSite: 'strict', // or 'lax'
    maxAge: 3600000
  }
}));

HTML Form Integration

<form method="POST" action="/transfer">
  <input type="hidden" name="_csrf" value="<%= csrfToken %>">
  <button type="submit">Submit</button>
</form>

Best Practices

Apply to all state-changing requests (POST, PUT, DELETE)
Use SameSite=Strict for sensitive cookies
Validate Origin/Referer headers
Never use GET for modifications
Implement token expiration (1 hour typical)
Combine multiple defense layers

Additional Implementations

See references/python-react.md for:

Flask-WTF complete CSRF setup
React hooks for CSRF token management
Double submit cookie pattern

Common Mistakes

Assuming authentication prevents CSRF
Reusing tokens across sessions
Storing tokens in localStorage
Missing token expiration

Repository: github.com/secondsky/claude-skills
Last updated: about 1 month ago
Created: about 1 month ago

Is this your skill?

If you maintain this skill, you can claim it as your own. Once claimed, you can manage eval scenarios, bundle related skills, attach documentation or rules, and ensure cross-agent compatibility.