{
  "_args": [
    [
      {
        "raw": "csurf@~1.8.3",
        "scope": null,
        "escapedName": "csurf",
        "name": "csurf",
        "rawSpec": "~1.8.3",
        "spec": ">=1.8.3 <1.9.0",
        "type": "range"
      },
      "/Volumes/2009-SSD/GT2/GT2-iOS/node_modules/connect"
    ]
  ],
  "_from": "csurf@>=1.8.3 <1.9.0",
  "_id": "csurf@1.8.3",
  "_inCache": true,
  "_location": "/csurf",
  "_npmUser": {
    "name": "dougwilson",
    "email": "doug@somethingdoug.com"
  },
  "_npmVersion": "1.4.28",
  "_phantomChildren": {
    "inherits": "2.0.3",
    "statuses": "1.4.0"
  },
  "_requested": {
    "raw": "csurf@~1.8.3",
    "scope": null,
    "escapedName": "csurf",
    "name": "csurf",
    "rawSpec": "~1.8.3",
    "spec": ">=1.8.3 <1.9.0",
    "type": "range"
  },
  "_requiredBy": [
    "/connect"
  ],
  "_resolved": "https://registry.npmjs.org/csurf/-/csurf-1.8.3.tgz",
  "_shasum": "23f2a13bf1d8fce1d0c996588394442cba86a56a",
  "_shrinkwrap": null,
  "_spec": "csurf@~1.8.3",
  "_where": "/Volumes/2009-SSD/GT2/GT2-iOS/node_modules/connect",
  "author": {
    "name": "Jonathan Ong",
    "email": "me@jongleberry.com",
    "url": "http://jongleberry.com"
  },
  "bugs": {
    "url": "https://github.com/expressjs/csurf/issues"
  },
  "contributors": [
    {
      "name": "Douglas Christopher Wilson",
      "email": "doug@somethingdoug.com"
    }
  ],
  "dependencies": {
    "cookie": "0.1.3",
    "cookie-signature": "1.0.6",
    "csrf": "~3.0.0",
    "http-errors": "~1.3.1"
  },
  "description": "CSRF token middleware",
  "devDependencies": {
    "body-parser": "~1.12.4",
    "connect": "3",
    "cookie-parser": "~1.3.5",
    "cookie-session": "~1.1.0",
    "istanbul": "0.3.15",
    "mocha": "2.2.5",
    "supertest": "1.0.1"
  },
  "directories": {},
  "dist": {
    "shasum": "23f2a13bf1d8fce1d0c996588394442cba86a56a",
    "tarball": "https://registry.npmjs.org/csurf/-/csurf-1.8.3.tgz"
  },
  "engines": {
    "node": ">= 0.8.0"
  },
  "files": [
    "HISTORY.md",
    "LICENSE",
    "index.js"
  ],
  "gitHead": "3ebc176634b1a93ee4601a1c1929c0014d65e5ce",
  "homepage": "https://github.com/expressjs/csurf#readme",
  "keywords": [
    "csrf",
    "tokens",
    "middleware",
    "express"
  ],
  "license": "MIT",
  "maintainers": [
    {
      "name": "jongleberry",
      "email": "jonathanrichardong@gmail.com"
    },
    {
      "name": "dougwilson",
      "email": "doug@somethingdoug.com"
    },
    {
      "name": "tjholowaychuk",
      "email": "tj@vision-media.ca"
    },
    {
      "name": "mscdex",
      "email": "mscdex@mscdex.net"
    },
    {
      "name": "fishrock123",
      "email": "fishrock123@rocketmail.com"
    },
    {
      "name": "defunctzombie",
      "email": "shtylman@gmail.com"
    }
  ],
  "name": "csurf",
  "optionalDependencies": {},
  "readme": "# csurf\n\n[![NPM Version][npm-image]][npm-url]\n[![NPM Downloads][downloads-image]][downloads-url]\n[![Build status][travis-image]][travis-url]\n[![Test coverage][coveralls-image]][coveralls-url]\n[![Gratipay][gratipay-image]][gratipay-url]\n\nNode.js [CSRF](https://en.wikipedia.org/wiki/Cross-site_request_forgery) protection middleware.\n\nRequires either a session middleware or [cookie-parser](https://www.npmjs.com/package/cookie-parser) to be initialized first.\n\n  * If you are setting the [\"cookie\" option](#cookie) to a non-`false` value,\n    then you must use [cookie-parser](https://www.npmjs.com/package/cookie-parser)\n    before this module.\n  * Otherwise, you must use a session middleware before this module. For example:\n    - [express-session](https://www.npmjs.com/package/express-session)\n    - [cookie-session](https://www.npmjs.com/package/cookie-session)\n\nIf you have questions on how this module is implemented, please read\n[Understanding CSRF](https://github.com/pillarjs/understanding-csrf).\n\n## Installation\n\n```sh\n$ npm install csurf\n```\n\n## API\n\n```js\nvar csurf = require('csurf')\n```\n\n### csurf([options])\n\nCreate a middleware for CSRF token creation and validation. This middleware\nadds a `req.csrfToken()` function to make a token which should be added to\nrequests which mutate state, within a hidden form field, query-string etc.\nThis token is validated against the visitor's session or csrf cookie.\n\n#### Options\n\nThe `csurf` function takes an optional `options` object that may contain\nany of the following keys:\n\n##### cookie\n\nDetermines if the token secret for the user should be stored in a cookie\nor in `req.session`. Defaults to `false`.\n\nWhen set to `true` (or an object of options for the cookie), then the module\nchanges behavior and no longer uses `req.session`. This means you _are no\nlonger required to use a session middleware_. Instead, you do need to use the\n[cookie-parser](https://www.npmjs.com/package/cookie-parser) middleware in\nyour app before this middleware.\n\nWhen set to an object, cookie storage of the secret is enabled and the\nobject contains options for this functionality (when set to `true`, the\ndefaults for the options are used). The options may contain any of the\nfollowing keys:\n\n  - `key` - the name of the cookie to use to store the token secret\n    (defaults to `'_csrf'`).\n  - `path` - the path of the cookie (defaults to `'/'`).\n  - any other [res.cookie](http://expressjs.com/4x/api.html#res.cookie)\n    option can be set.\n\n##### ignoreMethods\n\nAn array of the methods for which CSRF token checking will disabled.\nDefaults to `['GET', 'HEAD', 'OPTIONS']`.\n\n##### sessionKey\n\nDetermines what property (\"key\") on `req` the session object is located.\nDefaults to `'session'` (i.e. looks at `req.session`). The CSRF secret\nfrom this library is stored and read as `req[sessionKey].csrfSecret`.\n\nIf the [\"cookie\" option](#cookie) is not `false`, then this option does\nnothing.\n\n##### value\n\nProvide a function that the middleware will invoke to read the token from\nthe request for validation. The function is called as `value(req)` and is\nexpected to return the token as a string.\n\nThe default value is a function that reads the token from the following\nlocations, in order:\n\n  - `req.body._csrf` - typically generated by the `body-parser` module.\n  - `req.query._csrf` - a built-in from Express.js to read from the URL\n    query string.\n  - `req.headers['csrf-token']` - the `CSRF-Token` HTTP request header.\n  - `req.headers['xsrf-token']` - the `XSRF-Token` HTTP request header.\n  - `req.headers['x-csrf-token']` - the `X-CSRF-Token` HTTP request header.\n  - `req.headers['x-xsrf-token']` - the `X-XSRF-Token` HTTP request header.\n\n## Example\n\n### Simple express example\n\nThe following is an example of some server-side code that generates a form\nthat requires a CSRF token to post back.\n\n```js\nvar cookieParser = require('cookie-parser')\nvar csrf = require('csurf')\nvar bodyParser = require('body-parser')\nvar express = require('express')\n\n// setup route middlewares\nvar csrfProtection = csrf({ cookie: true })\nvar parseForm = bodyParser.urlencoded({ extended: false })\n\n// create express app\nvar app = express()\n\n// parse cookies\n// we need this because \"cookie\" is true in csrfProtection\napp.use(cookieParser())\n\napp.get('/form', csrfProtection, function(req, res) {\n  // pass the csrfToken to the view\n  res.render('send', { csrfToken: req.csrfToken() })\n})\n\napp.post('/process', parseForm, csrfProtection, function(req, res) {\n  res.send('data is being processed')\n})\n```\n\nInside the view (depending on your template language; handlebars-style\nis demonstrated here), set the `csrfToken` value as the value of a hidden\ninput field named `_csrf`:\n\n```html\n<form action=\"/process\" method=\"POST\">\n  <input type=\"hidden\" name=\"_csrf\" value=\"{{csrfToken}}\">\n  \n  Favorite color: <input type=\"text\" name=\"favoriteColor\">\n  <button type=\"submit\">Submit</button>\n</form>\n```\n\n### Custom error handling\n\nWhen the CSRF token validation fails, an error is thrown that has\n`err.code === 'EBADCSRFTOKEN'`. This can be used to display custom\nerror messages.\n\n```js\nvar bodyParser = require('body-parser')\nvar cookieParser = require('cookie-parser')\nvar csrf = require('csurf')\nvar express = require('express')\n\nvar app = express()\napp.use(bodyParser.urlencoded({ extended: false }))\napp.use(cookieParser())\napp.use(csrf({ cookie: true }))\n\n// error handler\napp.use(function (err, req, res, next) {\n  if (err.code !== 'EBADCSRFTOKEN') return next(err)\n\n  // handle CSRF token errors here\n  res.status(403)\n  res.send('form tampered with')\n})\n```\n\n## License\n\n[MIT](LICENSE)\n\n[npm-image]: https://img.shields.io/npm/v/csurf.svg\n[npm-url]: https://npmjs.org/package/csurf\n[travis-image]: https://img.shields.io/travis/expressjs/csurf/master.svg\n[travis-url]: https://travis-ci.org/expressjs/csurf\n[coveralls-image]: https://img.shields.io/coveralls/expressjs/csurf/master.svg\n[coveralls-url]: https://coveralls.io/r/expressjs/csurf?branch=master\n[downloads-image]: https://img.shields.io/npm/dm/csurf.svg\n[downloads-url]: https://npmjs.org/package/csurf\n[gratipay-image]: https://img.shields.io/gratipay/dougwilson.svg\n[gratipay-url]: https://gratipay.com/dougwilson/\n",
  "readmeFilename": "README.md",
  "repository": {
    "type": "git",
    "url": "git+https://github.com/expressjs/csurf.git"
  },
  "scripts": {
    "test": "mocha --check-leaks --reporter spec --bail test/",
    "test-cov": "istanbul cover node_modules/mocha/bin/_mocha -- --check-leaks --reporter dot test/",
    "test-travis": "istanbul cover node_modules/mocha/bin/_mocha --report lcovonly -- --check-leaks --reporter spec test/"
  },
  "version": "1.8.3"
}