Question 1

How do I use gorilla/csrf with a React single-page application?

Accepted Answer

Embed the CSRF token in a response header using csrf.Token, then have your React app read it and include it in the X-CSRF-Token header for all POST/PUT requests. The README provides an Axios example for this integration.

Question 2

gorilla/csrf vs other Go CSRF libraries like nosurf?

Accepted Answer

gorilla/csrf offers battle-tested design from Django/Rails with masked tokens and framework agnosticism, while nosurf is simpler but may lack features like trusted origins. Choose gorilla/csrf for robustness and flexibility in complex setups.

Question 3

Does gorilla/csrf support SameSite cookie settings?

Accepted Answer

Yes, use the csrf.SameSite option to set SameSiteStrictMode or SameSiteLaxMode, which helps prevent cross-site request forgery by controlling when cookies are sent, as detailed in the README's examples.

Question 4

How to configure gorilla/csrf for cross-domain API requests?

Accepted Answer

Use the csrf.TrustedOrigins option to specify allowed domains, ensuring that CSRF tokens from your JavaScript frontend on another domain are validated correctly without triggering security errors.

Question 5

What happens if the CSRF token is invalid in gorilla/csrf?

Accepted Answer

By default, it returns a 403 Forbidden response, but you can customize this with csrf.ErrorHandler to provide user-friendly error pages or log details for debugging.

Question 6

Best way to secure the 32-byte key in production for gorilla/csrf?

Accepted Answer

Store the key in environment variables or a secrets manager like HashiCorp Vault, never hardcode it, and ensure it's consistent across deployments to avoid breaking existing user sessions.

csrf

What is csrf?

Overview

Use Cases

Best For

Related Projects

Found a gem we're missing?

Not Ideal For

Pros & Cons

Pros

Cons

Frequently Asked Questions