Ring middleware to prevent CSRF attacks.



Binding that stores an anti-forgery token that must be included
in POST forms or in HTTP headers if the handler is wrapped in the
wrap-anti-forgery middleware.

The default session strategy stores the token directly,
but other strategies may wrap the token in a delay if the
token is expensive to compute. The var should therefore be
realized with clojure.core/force before use.


(wrap-anti-forgery handler)(wrap-anti-forgery handler options)
Middleware that prevents CSRF attacks. Any POST request to the handler
returned by this function must contain a valid anti-forgery token, or else an
access-denied response is returned.

The anti-forgery token can be placed into a HTML page via the
*anti-forgery-token* var, which is bound to a (possibly deferred) token.
By default, the token is expected to be in a form field named
'__anti-forgery-token', or in the 'X-CSRF-Token' or 'X-XSRF-Token'

Accepts the following options:

:read-token     - a function that takes a request and returns an anti-forgery
                  token, or nil if the token does not exist

:error-response - the response to return if the anti-forgery token is
                  incorrect or missing

:error-handler  - a handler function to call if the anti-forgery token is
                  incorrect or missing

:strategy       - a strategy for creating and validating anti-forgety tokens,
                  which must satisfy the
                  ring.middleware.anti-forgery.strategy/Strategy protocol
                  (defaults to the session strategy:

Only one of :error-response, :error-handler may be specified.