## CSRF - CSRF protection using HMAC-signed state tokens

CSRF protection using HMAC-signed state tokens with HKDF key derivation (RFC 5869) and constant-time signature verification. Provides `sign_state` and `verify_state` functions for secure OAuth state parameters.

## Installation

Install with opam:

<!-- $MDX skip -->
```sh
$ opam install csrf
```

If opam cannot find the package, it may not yet be released in the public
`opam-repository`. Add the overlay repository, then install it:

<!-- $MDX skip -->
```sh
$ opam repo add samoht https://tangled.org/gazagnaire.org/opam-overlay.git
$ opam update
$ opam install csrf
```

## Documentation

## Example

Use a signed state value for OAuth redirects and verify the exact value
when the browser returns:

```ocaml
let signed = Csrf.sign_state ~secret:"server secret" "oauth-login"

let () =
  match Csrf.verify_state ~secret:"server secret" signed with
  | Some payload -> assert (payload = "oauth-login")
  | None -> failwith "tampered state"
```