Implement CSRF protection: Generate tokens, set secure cookies, associate with clients, and use environment variables.

Implement Node.js CSRF utility: Generate tokens, secure cookies, prevent cross-site request forgery attacks.  

Creating and Managing CSRF Tokens With Node.js

[00:00] So the first thing we're going to want to do is create a utility for managing the CSRF utility. So csrf.server.ts in our utils here, and the CSRF utility is created with new CSRF coming from RemixUtils CSRF server.

[00:18] Then we've got a couple of options that we can provide here. So cookie being the primary one, and we need to create a cookie object. So we're going to create a cookie using createCookie from RemixRunNode. So our cookie will be equal to createCookie.

[00:38] We're going to call this cookie CSRF, and this is just a mechanism for storing a value in the browser's cookie jar. So we're going to configure a couple of things here, and we'll dive deeper into cookies when we get to authentication. But we'll just give you a little bit of a peek

[00:56] into the cookie config right here. So HTTP-only, we want that actually to be true. We don't want client-side JavaScript to be able to inspect this cookie. We also have our path. We want this to apply to the entire site, so we'll just say slash right here, and we'll set secure to

[01:16] surprisingly if the node environment is production. During development, we're running HTTP localhost. I don't want to run an HTTPS server locally. You totally can. I don't really care to. Chromium-based browsers are totally fine with that. They'll say, oh yeah, it's a secure cookie, but you're working localhost, so no big deal.

[01:35] But Safari is not super jazzed about that, so we're going to set secure to based only if we're in production. Then we're going to do same site lacks. That means if a site links over to our site, then those requests will send the cookie. That is desired behavior.

[01:52] In fact, I think that may even be the default behavior. Then finally, we've got a bit of a tricky one, and this is secrets. Secrets allows us to say, we want to have this cookie be signed in a way that says, this cookie was absolutely created by you.

[02:10] By providing a secret that only we know, then we can create cookies that we know for certain are created by us and not created by other individuals, nefarious actors. What happens is, it will encode the cookie into some funny looking value, which can be decoded,

[02:29] but it includes a signed portion, so that when we come back and try to read that cookie, we're going to check the signed portion and see whether or not we were the ones who created the cookie, because you can only create that signed portion if you have access to these secrets. For that secrets bit,

[02:48] we're going to go to our ENV and we'll add a session secret environment variable. This you would typically set as part of your environment. With Fly, you have Fly secrets set and all that. But during local development, you'll typically have a .ENV file that you just set things to,

[03:06] so say super duper secret or something like that. Then you'll just make sure that this is set in production. But you don't have to just pray that it's set in production. We can actually verify that it's going to be set by going to our ENV server utility here and

[03:23] adding the session secret that should be a string. If it's not there, then it's going to throw an error, and we'll be in a good place. We'll at least know what went wrong there. We've got our secrets. We're going to say process ENV.SessionSecret, and we'll split it by comma.

[03:42] The reason we split it by comma is because secrets is actually expects an array. The reason it expects an array of strings is so that if somehow your secret were to get leaked, then you want to make sure you rotate your secrets or you get a new one and reset that. But if you were to just change it,

[04:01] then all of the existing cookies would be invalid. To be able to continue to decode old ones and not fail on those, but make new ones with the new secret, we provide an array of secrets. The first one being the one that we're creating and signing new cookies with,

[04:21] and then the other ones being ones that we'll check with when we verify whether a cookie is valid. Now, of course, if a secret really were to get leaked, then you'd probably want to just get rid of everything, and that would just be a really bad news for everybody and start fresh. But having a rotation of secrets is a pretty common practice just

[04:39] to avoid unknowingly having a secret be leaked. This is just part of that rotation process to make it easier to rotate these secrets. You can add a new secret to the beginning of this array or this comma separated list of

[04:57] session secret pieces in your environment variable. Great. With that cookie setup, we now have our CSRF all ready to go. We can export const CSRF, and that is going to be our CSRF utility. Now, there are some other options here,

[05:14] but we only really need to specify the cookie for our use case. Now that we've got that setup, let's go to the root and we'll come up here to our loader. We're going to use the CSRF to get both the token generated as well as a set cookie header

[05:32] so that the browser will store that cookie. We'll get our CSRF token and CSRF cookie header from the CSRF, which is our utility there, dot commit token, and we don't need to pass the honey prompts.

[05:50] In fact, actually, I'll explain that here in a second. This is going to be async, so we're going to await that. Then we'll add our set cookie header here. Headers right here, and then set cookie. This will be our CSRF cookie header,

[06:09] and then our CSRF token is going to be passed along with our JSON. Then we'll use this here in the next step of the exercise to provide that to everything. But suffice it to say, right now, we are setting the cookie header. Before we actually look at that though, we need to talk about the fact that

[06:27] headers has got this red underline under it. That's TypeScript saying, hey, it's possibly null. This CSRF cookie header could be null, and you can't set a set cookie to null, which I suppose that makes sense. We'll just say, if it does exist, then we'll set it to this object. Otherwise, we'll set it to this one.

[06:46] This is empty object of headers. Yeah, there we go. Make it just one gigantic line. The reason that it could possibly be null is, we don't want to have a new CSRF token generated every single time the user lands on the page,

[07:04] especially if they have two tabs open. They open up one tab, they open up a second tab, that second tab set the cookie. It's a new CSRF header, and this tab has the old one. Then this tab submits, and it's going to be the wrong CSRF token. We need to preserve that token

[07:22] as the user opens up a bunch of tabs. The way we do this is, we get the request from the data function args, and then we pass the request to the commit token. Then commit token will then read the cookie header, and if there's already a CSRF token, then it will use that existing one,

[07:40] and it will return null for the set cookie header. Let's see all this in action. We'll pull up our DevTools. We'll look at our network tab, and we'll scooch this over just a bit. When I refresh the page, and we should see a set cookie header right there. There's the CSRF.

[07:59] It's got the funny encoding because we're encoding that and signing it. Then we've got our path and HTTP only and same site lacks, all the things we configured it to do, and then we can look at the application tab and see our cookie is a happy-go-lucky right there. Then also because we are providing this request,

[08:18] if I refresh, then that value should be the same, and I think it's the same. You can pause the video, I suppose, and check, but that looks the same to me. We're all set with those changes to make it so that we pass that token along with any form submissions

[08:35] and prevent these terrible cross-site request forgery attacks. So really quick to review. First, we made a cookie and then used that to create our CSRF utility, and then we updated our loader to pass that CSRF token

[08:52] and set that cookie header as necessary. That is the setup piece of getting our CSRF token into the browser.

CSRF Protection with Cookies 

[00:00] For this first step, we're going to get a little bit of a peek into using cookies to persist some data so that we can associate this authenticity token with the particular client, so that when they submit their forms, we can check between the cookie that the client has and the token that was submitted in the form.

[00:19] There's going to be a little bit of that. We're not going to dive too deep into the cookies until a future workshop, once we talk about authentication. You're going to be creating a cookie, you're going to be creating a CSRF object that will contain utilities that we're going to use to generate a CSRF as well as the cookie header.

[00:37] You're going to be working in a utility file, you're also going to be working in the root loader so that you can generate that token and set that cookie and send it to the client. That's as far as we're going to get, and then in the next step, we'll go to actually integrating that with the form. This will also involve an environment variable so that we can sign

[00:57] the cookie to prevent anybody from trying to create their own or tampering with that cookie. This is just the first step of a multi-step process for adding CSRF protection. Have a good time and we'll see you when you're done.

Forms are the primary mechanism for interactivity on the web.

But for all of their importance, forms can be incredibly frustrating for developers and users alike.

There are a lot of moving parts to consider: 

You need to validate user input and handle complex data structures, while being secure from bots and data-stealing attacks. The UI should inform users of any issues as quickly as possible, and be accessible for all.

The Professional Web Forms Workshop will equip you with the tools to handle all of these challenges and more.

## Form Validation

HTML has several attributes built-in that help with form element validation. Unfortunately, they're not enough on their own. On the client-side, bad actors can bypass checks by manually adding the `novalidate` attribute or making requests directly. On the server side, there's no standard way to respond to validation errors other than a generic 400 status code.

In this section, you'll implement a base level of form validation:

- Essential HTML attributes for validation
- Server-side validation with JSON responses
- Displaying errors with the `useActionData` hook
- Disabling default browser validation messages with `useHydrated`

## Accessibility

Accessibility is often an afterthought, but should be a priority. While forms are just one part of the accessibility equation, they're a big one. In this section, you'll learn how to make sure your forms accessible and usable by all of your application's users:

- Properly associating labels with input fields
- Adding appropriate ARIA attributes when necessary
- Manage keyboard focus in response to errors and user interactions
- Creating and using a `useFocus` hook to direct the user’s focus
- Considerations for accessibility testing

## Schema-Based Validation

Manually writing conditional checks for every field in every form is tedious and error-prone: *Is there content in the field? Is it the right type? Is it within the acceptable range? There must be a better way!*

Fortunately, the combination of the Zod and Conform libraries makes it easy to define reusable declarative schemas to validate form data on the client and server:

- Safely replace HTML validation attributes with schemas
- Zod error handling & message customization
- Progressively enhanced validation with Conform
- Share type-safe validation logic between client and server

## File Uploads

Forms need to support more than just text. Images, videos, audio files, and other documents need a different type of input. Depending on the size of the file, you'll have considerations for how and where it is uploaded. In this section, you'll learn how to handle file uploads in a secure and efficient way:

- Uploading images from an `ImageChooser` component
- Handling file uploads on the server
- Schema validation for file uploads with Zod

## Complex Data Structures

The `FormData` API does not support representing objects or arrays– only key/value pairs. It also won't allow you to nest forms within each other. This makes representing complex data structures difficult without jumping through some hoops. Luckily for us, Conform has a great solution when your forms get complex. Here you'll practice:

- Infer field types with Zod
- Nesting objects as a form
- Represent arrays of fields with the `useFieldList` utility
- Add and remove items with Conform's `intent` buttons

## Spam Prevention with Honeypots

Spam bots are constantly crawling the web, looking for forms to submit junk data to boost their client’s search engine rankings and find holes in your security. This can strain server resources, contaminate databases, and cause other unforeseen consequences. One way to combat this is by using a "honeypot", which will prevent a form from being submitted by a bot. This section will teach you how to:

- Create a simple hidden-field validation
- Add a configurable honeypot instance to an action
- Prevent form submissions that are too fast
- Use environment variables for encryption seeds

## CSRF Protection

Cross-Site Request Forgery (CSRF) attacks are a type of malicious exploit where a user is tricked into performing an action they did not intend to. This is usually done by embedding a link or form in a page that the user is already authenticated to. Think of a user logged into their bank account clicking a link that transfers money from their bank account to the attacker's. To prevent this type of attack, you'll want to:

- Create a signed cookie in the user's browser
- Include unique user tokens in forms
- Validate tokens on the server via request headers

## Rate Limiting

You definitely want to prevent bad actors from making tons of requests to try to brute-force their way into your app or cause general chaos. However, malicious intent and spam aren't the only reasons you need to protect your site. Even too many legitimate requests can cause problems. Rate limiting is a way to prevent users from overloading your server with requests. Here you'll learn:

- Considerations for different limits for `GET` vs. `POST` requests
- Implementing basic rate limiting with Express middleware
- Tiered rate limiting depending on which form is being submitted

The Professional Web Forms Workshop will equip you for building complex, fully accessible forms that handle validation and file uploads while preventing spam.

Professional Web Forms

Kent C. Dodds

Full Stack Vol 1

Intro to Professional Web Forms Workshop

Introduction to Workshop

Intro to Form Validation 

Discover the importance of validation in web apps. Learn to implement required field validation for data integrity and UX enhancement.

Leverage HTML attributes for form validation, enhancing UX and accessibility. Explore browser validation and screen reader integration for user guidance.

Form Validation for Accessibility

Required Field Validation for User Input

Implement server-side validation to enhance security and user assistance, preventing client-side bypass. Customize error messages for a seamless design.

Master server-side form validation for data integrity and user-friendly error messages. Enhance UX by securely validating input before server processing.

Server-Side Form Validation and Error Handling

Server-side Validation and Custom Error Messages

Prevent incorrect form submissions pre-JavaScript with novalidate attribute using useHydrated hook. Elevate UX, maintain data integrity.

Optimize form validation with 'useHydrated' hook for client-side hydration. Enhance UX with browser-built and server-side validation synergy.

Form Validation with Client-Side Hydration

Dynamic Error Validation with Hooks

Dad Joke Break From Validation

Form Validation

Intro to Accessibility

Learn how to troubleshoot and fix issues with a non-functioning reset button and accessibility problems in a web form.

Learn how to properly associate buttons and form elements, such as the reset button, with their respective forms for improved functionality and accessibility.

Improving Accessibility and Form Associations

Fixing Form Reset Button and Accessibility Issues

Associate error messages with input fields via ARIA attributes for precise screen reader notifications. Learn about semantic HTML and ARIA for accessibility.

Use ARIA attributes like ARIA invalid & describedby. Link error messages to inputs for improved screen reader support, aiding assistive tech users.

Accessible Forms with ARIA Attributes

Error Messages and Accessibility with ARIA Attributes

Enhance app accessibility & UX with focus management: auto-focus error fields, programmable forms, & better editing. Create an inclusive, user-friendly app.

Enhance React app accessibility and UX: auto-focus form inputs and navigate to error messages for improved handling of form errors.

Managing Focus for Form Errors

Focus Management for Better User Experience

Dad Break Joke Accessibility

Accessibility

Intro to Schema Validation

Optimize development with Zod schema validation. Boost efficiency and code robustness, replacing custom logic for an enhanced developer experience. 

Learn how to implement schema validation using Zod in a note editor application. Discover how to define and enforce data

Schema Validation with Zod 

Schema Validation 

Data parsing with Conform's Conform utility. Apply server-side logic and streamline development with additional UI utilities for efficient form handling.

Improve UX & enable progressive enhancement: Replace form validation & error handling with powerful Zod utility in your app

 Form Submission and Error Handling with Conform & Zod

Form Data Parsing with Conform

Enhance UI with Conform's React utilities for end-to-end type safety. Leverage progressive enhancement for a fabulous development experience.

Eliminate custom code for better UX. Seamlessly manage form submission and client-side validation with Conform, ensuring robust server-side validation

Simplifying Form Handling with Conform and Schema Validation

Type Safety with Conform

Dad Joke Break Schema Validation

Schema Validation

Intro to File Upload

Add file upload to edit page for user-friendly image & file attachments. Handle uploads in Remix, enforcing size limits. 

Integrate image upload with form data and memory handling. Use image chooser, manage existing images, set encoding, size limit, and specify alt text. 

Image Upload with Form Data and Memory Upload Handling

File Upload Functionality 

Improve code quality and address TypeScript errors for a robust application, making Lily the life jacket (and yourself) happy.

Update schema for image ID, alt text, and file uploads. Master file validation with Zod for size restrictions and error handling on client & server sides. 

Validating File Uploads with Zod Schema in a Web Application

TypeScript Integration

Dad Joke Break File Upload

File Upload

Intro to Complex Structures 

Address challenges in grouping properties into sub-objects in forms, especially for multiple image uploads. Satisfy Zod's requirements for seamless integration.

Learn to add image field set schema to Zod schema, update HTML elements, and integrate with Conform for type safety and form functionality. 

Implementing Image Field Set with Conform and TypeScript

Grouping and Managing Related Fields in Form Objects

Update your app's schema for multiple images, adapt actions/components, and enable seamless addition/removal of multiple images for an enhanced user experience.

Master dynamic image lists with Qualifax: add and remove images effortlessly. Update schema, implement field sets, and iterate through image choosers with ease.

Dynamic Image Lists with Field Sets 

Multiple Image Uploading 

Dynamic image addition and deletion with alt text functionality, progressive enhancements, and input submission using Conform utilities in web development

Master dynamic button generation for form accessibility using Conform utilities. Modify field sets with list functions, explore progressive enhancement.

Dynamically Delete and Add Buttons

 Interactive Image Management

Dad Joke Break Complex Structures 

Complex Structures

Intro to Honeypot

Add a hidden input field honeypot to deter spam bots, enhance deliverability, and prevent spam issues. Explore additional tips for form security.

Boost sign-up form security with invisible honeypot fields to catch spam bots. Discover effective techniques for handling bot submissions in your app.

Honeypot Fields in Sign Up Forms

Adding a Honeypot to Protect Against Spam Bots

Protect your website from spam bots with automatic updates to Honeypot configurations.

Enhance security with Remix Utils Honeypot fields. Customize divs, ARIA, and server-side validation to deter spam. Best practices for errors and HTTP codes.

Honeypot Fields for Form Security

Honeypot Protection with `remix-utils`

Efficiently implement Honeypot security on forms: Transfer server data to client for reliable bot protection.

Implement honeypot protection: Create provider, configure props, render components, prevent quick form submission, thwart automated bots.

Honeypot Protection

Honeypots for Form Security 

Ensure consistent Honeypot encryption secret across servers and regions for form data integrity and conflict avoidance

Securely add honeypot secret to server validation, configure in local .env for data protection.

Setting Up Honeypot Security for Server Environment Variables

Consistent Encryption with Honeypot Server

Dad Joke Break Honeypot

Honeypot

Intro to CSRF

Protect user data with authenticity tokens: Render, verify, and enhance user experience.

Secure forms with Authenticity Token input and CSRF validation for protection against tampering. Improve security and error responses.

Security with Authenticity Token and CSRF Validation

Authenticity With Token Protection 

Dad Joke Break CSRF

Cross-Site Request Forgery

Intro to Rate Limit 

Learn how to implement rate limiting middleware in Express for efficient resource management in your server.

Safeguarding Your Server: Adding Rate Limit Configuration

Optimizing Your Express Server with Rate Limiting Middleware

Implement tiered rate limiting: Strong for sign-up/login, moderate for posts, and general defense. Custom middleware assigns tiers.

Professional Web Forms

Professional Web Forms

Transcript

CSRF Protection with Cookies

Transcript