Question 1

How to use nosurf with Go Gin framework?

Accepted Answer

Wrap your Gin router with nosurf's CSRFHandler, as nosurf is compatible with any http.Handler. For example, use gin.WrapH to adapt it, and ensure tokens are included in forms or manually verified for APIs.

Question 2

nosurf vs gorilla/csrf which is better?

Accepted Answer

nosurf is dependency-free and works with any handler, while gorilla/csrf is part of the Gorilla toolkit and might integrate better with other Gorilla components. Choose nosurf for minimalism or gorilla/csrf if you're already using Gorilla packages.

Question 3

How to exempt API endpoints from CSRF in nosurf?

Accepted Answer

Use methods like ExemptPath, ExemptGlob, or ExemptRegexp on the CSRFHandler to exclude specific URLs. For JSON APIs, exempt the endpoint and manually verify tokens using VerifyToken as shown in the README.

Question 4

Does nosurf work with Single Page Applications (SPA)?

Accepted Answer

Yes, but it requires manual setup for token handling in JSON requests. Exempt API endpoints or use manual verification, and ensure tokens are transmitted via headers or custom fields, which can be cumbersome for complex SPAs.

Question 5

What are the performance implications of using nosurf?

Accepted Answer

Performance impact is minimal as it uses efficient token validation and has no external dependencies. However, manual verification and exemption checks add slight overhead, but it's negligible for most applications.

nosurf

What is nosurf?

Overview

Use Cases

Best For

Found a gem we're missing?

Not Ideal For

Pros & Cons

Pros

Cons

Frequently Asked Questions