DeterministicESPAsyncWebServer v6.27.1
Zero-allocation, bounded-execution async HTTP server for ESP32
Loading...
Searching...
No Matches
csrf.h File Reference

Stateless HMAC-signed CSRF token (DETWS_ENABLE_CSRF). More...

#include "ServerConfig.h"

Go to the source code of this file.

Detailed Description

Stateless HMAC-signed CSRF token (DETWS_ENABLE_CSRF).

A CSRF token is <nonce_hex>.<sig_hex> where sig = the first CSRF_SIG_BYTES of HMAC-SHA256(secret, nonce). The secret is seeded once from the hardware RNG at begin(); the nonce is a per-issue counter (it need not be secret - the security is the HMAC). Verification recomputes the HMAC over the embedded nonce and constant-time compares the signature, so no server-side session state is kept.

The token is sized to fit a single MAX_VAL_LEN header value and a csrf= cookie. These functions are pure (no Arduino dependency) so they unit-test on the host (with DETWS_ENABLE_CSRF set) using a fixed secret.

Author
Douglas Quigg (dstroy0)
Date
2026

Definition in file csrf.h.