Package io.quarkus.csrf.reactive.runtime

Interface RestCsrfConfig

@ConfigRoot(phase=RUN_TIME)
@ConfigMapping(prefix="quarkus.rest-csrf")
public interface RestCsrfConfig

Runtime configuration for CSRF Reactive Filter.

Method Summary

Modifier and Type	Method	Description
Optional<String>	cookieDomain()	CSRF cookie domain.
boolean	cookieForceSecure()	If enabled the CSRF cookie will have its 'secure' parameter set to 'true' when HTTP is used.
boolean	cookieHttpOnly()	Set the HttpOnly attribute to prevent access to the cookie via JavaScript.
Duration	cookieMaxAge()	CSRF cookie max age.
String	cookieName()	CSRF cookie name.
String	cookiePath()	CSRF cookie path.
Optional<Set<String>>	createTokenPath()	Create CSRF token only if the HTTP GET relative request path matches one of the paths configured with this property.
String	formFieldName()	Form field name which keeps a CSRF token.
boolean	requireFormUrlEncoded()	Require that only 'application/x-www-form-urlencoded' or 'multipart/form-data' body is accepted for the token verification to proceed.
String	tokenHeaderName()	Token header which can provide a CSRF token.
Optional<String>	tokenSignatureKey()	CSRF token HMAC signature key, if this key is set then it must be at least 32 characters long.
int	tokenSize()	Random CSRF token size in bytes.
boolean	verifyToken()	Verify CSRF token in the CSRF filter.

Method Details

formFieldName

@WithDefault("csrf-token")
String formFieldName()

Form field name which keeps a CSRF token.

tokenHeaderName

@WithDefault("X-CSRF-TOKEN")
String tokenHeaderName()

Token header which can provide a CSRF token.

cookieName

@WithDefault("csrf-token")
String cookieName()

CSRF cookie name.

cookieMaxAge

@WithDefault("2H")
Duration cookieMaxAge()

CSRF cookie max age.

cookiePath

@WithDefault("/")
String cookiePath()

CSRF cookie path.

cookieDomain

Optional<String> cookieDomain()

CSRF cookie domain.

cookieForceSecure

@WithDefault("false")
boolean cookieForceSecure()

If enabled the CSRF cookie will have its 'secure' parameter set to 'true' when HTTP is used. It may be necessary when running behind an SSL terminating reverse proxy. The cookie will always be secure if HTTPS is used even if this property is set to false.

cookieHttpOnly

@WithDefault("true")
boolean cookieHttpOnly()

Set the HttpOnly attribute to prevent access to the cookie via JavaScript.

createTokenPath

Optional<Set<String>> createTokenPath()

Create CSRF token only if the HTTP GET relative request path matches one of the paths configured with this property. Use a comma to separate multiple path values.

tokenSize

@WithDefault("16")
int tokenSize()

Random CSRF token size in bytes.

tokenSignatureKey

Optional<String> tokenSignatureKey()

CSRF token HMAC signature key, if this key is set then it must be at least 32 characters long.

verifyToken

@WithDefault("true")
boolean verifyToken()

Verify CSRF token in the CSRF filter. If you prefer then you can disable this property and compare CSRF form and cookie parameters in the application code using JAX-RS jakarta.ws.rs.FormParam which refers to the formFieldName() form property and jakarta.ws.rs.CookieParam which refers to the cookieName() cookie. Note that even if the CSRF token verification in the CSRF filter is disabled, the filter will still perform checks to ensure the token is available, has the correct tokenSize() in bytes and that the Content-Type HTTP header is either 'application/x-www-form-urlencoded' or 'multipart/form-data'.

requireFormUrlEncoded

@WithDefault("true")
boolean requireFormUrlEncoded()

Require that only 'application/x-www-form-urlencoded' or 'multipart/form-data' body is accepted for the token verification to proceed. Disable this property for the CSRF filter to avoid verifying the token for POST requests with other content types. This property is only effective if verifyToken() property is enabled and tokenHeaderName() is not configured.