gazagnaire.org / ocaml-csrf
CSRF protection using HMAC-signed state tokens (RFC 5869, RFC 2104)
1
fork

Configure Feed

Select the types of activity you want to include in your feed.

OCaml 76.8%
Dune 6.4%
Other 16.8%
35 1 0

Clone this repository

https://tangled.org/gazagnaire.org/ocaml-csrf https://tangled.org/did:plc:jhift2vwcxhou52p3sewcrpx/ocaml-csrf
git@git.recoil.org:gazagnaire.org/ocaml-csrf git@git.recoil.org:did:plc:jhift2vwcxhou52p3sewcrpx/ocaml-csrf

For self-hosted knots, clone URLs may differ based on your setup.

Download tar.gz
README.md

CSRF - CSRF protection using HMAC-signed state tokens#

CSRF protection using HMAC-signed state tokens with HKDF key derivation (RFC 5869) and constant-time signature verification. Provides sign_state and verify_state functions for secure OAuth state parameters.

Installation#

Install with opam:

$ opam install csrf

If opam cannot find the package, it may not yet be released in the public opam-repository. Add the overlay repository, then install it:

$ opam repo add samoht https://tangled.org/gazagnaire.org/opam-overlay.git
$ opam update
$ opam install csrf

Documentation#

Example#

Use a signed state value for OAuth redirects and verify the exact value when the browser returns:

let signed = Csrf.sign_state ~secret:"server secret" "oauth-login"

let () =
  match Csrf.verify_state ~secret:"server secret" signed with
  | Some payload -> assert (payload = "oauth-login")
  | None -> failwith "tampered state"