NAME
    Plack::Middleware::XSRFBlock - Block XSRF Attacks with minimal changes
    to your app

VERSION
    version 0.0.0_01

DESCRIPTION
    This middleware blocks XSRF. You can use this middleware without any
    modifications to your application.

EXPLANATION
    This module is similar in nature and intention to
    Plack::Middleware::CSRFBlock but implements the xSRF prevention in a
    different manner.

    The solution implemented in this module is based on a CodingHorror
    article - Preventing CSRF and XSRF Attacks
    <http://www.codinghorror.com/blog/2008/10/preventing-csrf-and-xsrf-attac
    ks.html>.

    The driving comment behind this implementation is from the Felten and
    Zeller paper
    <https://www.eecs.berkeley.edu/~daw/teaching/cs261-f11/reading/csrf.pdf>
    :

        When a user visits a site, the site should generate a
        (cryptographically strong) pseudorandom value and set it as
        a cookie on the user's machine. The site should require
        every form submission to include this pseudorandom value as
        a form value and also as a cookie value. When a POST request
        is sent to the site, the request should only be considered
        valid if the form value and the cookie value are the same.
        When an attacker submits a form on behalf of a user, he can
        only modify the values of the form. An attacker cannot read
        any data sent from the server or modify cookie values, per
        the same-origin policy.  This means that while an attacker
        can send any value he wants with the form, he will be unable
        to modify or read the value stored in the cookie. Since the
        cookie value and the form value must be the same, the
        attacker will be unable to successfully submit a form unless
        he is able to guess the pseudorandom value.

  What's wrong with Plack::Middleware::CSRFBlock?
    Plack::Middleware::CSRFBlock is a great module. It does a great job of
    preventing CSRF behaviour with minimal effort.

    However when we tried to use it uses the session to store information -
    which works well most of the time but can cause issues with session
    timeouts or removal (for any number of valid reasons) combined with
    logging (back) in to the application in another tab (so as not to
    interfere with the current screen/tab state).

    Trying to modify the existing module to provide the extra functionality
    and behaviour we decided worked better for our use seemed too far
    reaching to try to force into the existing module.

  SEE ALSO
    Plack::Middleware::CSRFBlock, Plack::Middleware, Plack

AUTHOR
    Chisel <chisel@chizography.net>

COPYRIGHT AND LICENSE
    This software is copyright (c) 2013 by Chisel Wright.

    This is free software; you can redistribute it and/or modify it under
    the same terms as the Perl 5 programming language system itself.

