CSRF — Aquilia Documentation
Comprehensive guide and documentation for CSRF in the Aquilia framework. View API reference, examples, and implementation patterns.
MIDDLEWARE / CSRF PROTECTION CSRFMiddleware The CSRFMiddleware blocks Cross-Site Request Forgery attacks. It uses the Synchronizer Token Pattern backed by server-side sessions, falling back to a signed Double Submit Cookie when sessions are unavailable. Constructor Configuration The middleware is highly configurable to suit standard SPA or MVC page rendering layouts: secret_key: str | None = None — HMAC key for double-submit cookie validation. Generates an ephemeral key per-process if omitted. header_name: str = "X-CSRF-Token" — The request header name containing the validation token. field_name: str = "_csrf_token" — The form field name containing the validation token. exempt_paths: list[str] | None = None — List of URL prefixes exempted from CSRF validation (e.g. webhooks). exempt_content_types: list[str] | None = None — Exempts requests carrying matching content types (e.g. "application/json"). trust_ajax: bool = False — Bypasses validation if X-Requested-With: XMLHttpRequest is present, trusting the browser's same-origin boundary. Usage Example from aquilia.middleware_ext import CSRFMiddleware from aquilia.workspace import Workspace from aquilia.integrations import MiddlewareChain workspace = Workspace("myapp").middleware( MiddlewareChain().use( "aquilia.middleware_ext.security:CSRFMiddleware", priority=15, secret_key="production-only-secure-key-phrase", exempt_paths=["/stripe/webhooks"], trust_ajax=True ) ) Overview )
Go to Homepage