### Crumb Route Configuration Options Source: https://github.com/hapijs/crumb/blob/master/API.md Details the configuration options that can be applied on a per-route basis within a hapi.js application using the Crumb plugin. These allow for fine-grained control over CSRF protection for specific routes. ```APIDOC Crumb Route Configuration Options: * `false` - Description: Disable Crumb protection entirely for a specific route. * `key` - Description: The key used in view contexts and payloads for the crumb. Overrides the plugin's global `key`. - Type: string - Default: plugin.key * `source` - Description: Specifies where the crumb will be sent in requests. Can be 'payload' or 'query'. - Type: 'payload' | 'query' - Default: payload * `restful` - Description: An override for the server's 'restful' setting, enabling or disabling RESTful mode for this specific route. - Type: boolean - Default: plugin.restful ``` -------------------------------- ### Crumb Plugin Registration Options Source: https://github.com/hapijs/crumb/blob/master/API.md Details the configuration options available when registering the Crumb plugin with a hapi.js server. These options control the behavior and security settings of the CSRF protection mechanism. ```APIDOC Crumb Plugin Registration Options: * `key` - Description: The name of the cookie used to store the CSRF crumb. - Type: string - Default: 'crumb' * `size` - Description: The length of the crumb to generate. Corresponds to bits for security. - Type: number - Default: 43 (256 bits) - Note: See https://hapi.dev/module/cryptiles for more information. * `autoGenerate` - Description: Determines whether to automatically generate a new crumb for incoming requests. - Type: boolean - Default: true * `addToViewContext` - Description: Controls whether the crumb is automatically added to view contexts using the specified key. - Type: boolean - Default: true * `cookieOptions` - Description: Options for storing the cookie containing the crumb. Refer to hapi's `server.state()` documentation. - Type: object - Default: { path: '/' } - Note: The cookie is not secure by default; set 'secure: true' for production. * `headerName` - Description: Specifies the name of the custom CSRF header used for token validation. - Type: string - Default: 'X-CSRF-Token' * `restful` - Description: Enables RESTful mode, validating crumbs from the 'X-CSRF-Token' header for POST, PUT, PATCH, and DELETE requests. Disables payload/query validation. - Type: boolean - Default: false * `skip` - Description: A function that, if provided, is called for every request. If it returns true, crumb validation and generation are skipped. - Type: function(request, h) - Default: false * `enforce` - Description: If true, enforces CSRF validation. If false, sets the CSRF header cookie but does not execute validation. - Type: boolean - Default: true * `logUnauthorized` - Description: If true, logs unauthorized validation attempts with the tag 'crumb' and data 'validation failed'. - Type: boolean - Default: false ``` -------------------------------- ### Register Crumb Plugin in hapi.js Source: https://github.com/hapijs/crumb/blob/master/API.md Demonstrates how to register the Crumb plugin with a hapi.js server and configure a basic route. This snippet shows the essential steps for enabling CSRF protection in your application. ```javascript const Hapi = require('@hapi/hapi'); const Crumb = require('@hapi/crumb'); const server = new Hapi.Server({ port: 8000 }); (async () => { await server.register({ plugin: Crumb, // plugin options options: {} }); server.route({ path: '/login', method: 'GET', options: { plugins: { // route specific options crumb: {} }, handler(request, h) { // this requires to have a view engine configured return h.view('some-view'); } } }); })(); ``` === COMPLETE CONTENT === This response contains all available snippets from this library. No additional content exists. Do not make further requests.