=head1 NAME

Mojolicious::Plugin::CSRFProtect - Fully protects you from CSRF attacks


    # Mojolicious

    # Mojolicious::Lite
    plugin 'CSRFProtect';
    # Use "form_for" helper and all your html forms will have CSRF protection token 

    <%= form_for login => (method => 'post') => begin %>
           <%= text_field 'first_name' %>
           <%= submit_button %>
    <% end %>
    # Place jquery_ajax_csrf_protection helper to your layout template 
    # and all on GET/HEAD  AJAX requests will have CSRF protection token (requires JQuery)
    <%= jquery_ajax_csrf_protection %>

    # Custom error handling
    $self->plugin('CSRFProtect', on_error => sub {
        my $c = shift;
        # Do whatever you want here
        # ... 

L<Mojolicious::Plugin::CSRFProtect> is a L<Mojolicious> plugin which fully protects you from CSRF attacks.

It does next things:

1. Adds a hidden input (with name 'csrftoken') with CSRF protection token to every form 
(works only if you use C<form_for> helper from Mojolicious::Plugin::TagHelpers.) 

2. Adds the header "X-CSRF-Token" with CSRF token to every AJAX request (works with JQuery only)   

3. Rejects all non GET/HEAD requests without the correct CSRF protection token.

If you want protect your GET/HEAD requests then you can do it manually

In template: <a href="/delete_user/123/?csrftoken=<%= csrftoken %>">

In controller: $self->is_valid_csrftoken() 

=head1 CONFIG

=head2 C<on_error>

You can pass custom error handling callback. For example

    $self->plugin('CSRFProtect', on_error => sub {
        my $c = shift;
        $c->render(template => 'error_403', status => 403 ); 

=head1 HELPERS

=head2 C<form_for>

This helper overrides the C<form_for> helper from Mojolicious::Plugin::TagHelpers 

and adds hidden input with CSRF protection token.

=head2 C<jquery_ajax_csrf_protection>

This helper adds CSRF protection headers to all JQuery AJAX requests.
You should add <%= jquery_ajax_csrf_protection %> in head of your HTML page. 

=head2 C<csrftoken>

returns  CSRF Protection token. 

In templates <%= csrftoken %>

In controller $self->csrftoken;
=head2 C<is_valid_csrftoken>

With this helper you can check $csrftoken manually. It will take $csrftoken from $c->param('csrftoken');
$self->is_valid_csrftoken() will return 1 or 0

=head1 AUTHOR

Viktor Turskyi <koorchik@cpan.org>

