|
DeterministicESPAsyncWebServer v6.27.1
Zero-allocation, bounded-execution async HTTP server for ESP32
|
Stateless HMAC-signed CSRF token (DETWS_ENABLE_CSRF). More...
#include "ServerConfig.h"Go to the source code of this file.
Stateless HMAC-signed CSRF token (DETWS_ENABLE_CSRF).
A CSRF token is <nonce_hex>.<sig_hex> where sig = the first CSRF_SIG_BYTES of HMAC-SHA256(secret, nonce). The secret is seeded once from the hardware RNG at begin(); the nonce is a per-issue counter (it need not be secret - the security is the HMAC). Verification recomputes the HMAC over the embedded nonce and constant-time compares the signature, so no server-side session state is kept.
The token is sized to fit a single MAX_VAL_LEN header value and a csrf= cookie. These functions are pure (no Arduino dependency) so they unit-test on the host (with DETWS_ENABLE_CSRF set) using a fixed secret.
Definition in file csrf.h.