> For the complete documentation index, see [llms.txt](https://coldbox-security.ortusbooks.com/llms.txt). Markdown versions of documentation pages are available by appending `.md` to page URLs; this page is available as [Markdown](https://coldbox-security.ortusbooks.com/getting-started/configuration/csrf.md).

# CSRF

CBSecurity ships with the `cbsrf` module and can be configured in line with the `cbsecurity` key.

{% hint style="warning" %}
Please note that if any update is made to that module, verify its settings in the module's configuration documentation: <https://forgebox.io/view/cbcsrf>
{% endhint %}

```
/**
 * --------------------------------------------------------------------------
 * CSRF - Cross Site Request Forgery Settings
 * --------------------------------------------------------------------------
 * These settings configures the cbcsrf module. Look at the module configuration for more information
 */
csrf : {
	// By default we load up an interceptor that verifies all non-GET incoming requests against the token validations
	enableAutoVerifier     : false,
	// A list of events to exclude from csrf verification, regex allowed: e.g. stripe\..*
	verifyExcludes         : [],
	// By default, all csrf tokens have a life-span of 30 minutes. After 30 minutes, they expire and we aut-generate new ones.
	// If you do not want expiring tokens, then set this value to 0
	rotationTimeout        : 30,
	// Enable the /cbcsrf/generate endpoint to generate cbcsrf tokens for secured users.
	enableEndpoint         : false,
	// The WireBox mapping to use for the CacheStorage
	cacheStorage           : "CacheStorage@cbstorages",
	// Enable/Disable the cbAuth login/logout listener in order to rotate keys
	enableAuthTokenRotator : true
},
```

### EnableAutoVerifier

By default, this setting is turned off.  If you turn it on, then every non-GET request will be verified that it contains a valid incoming csrf token via a header or the incoming rc.

### VerifyExcludes

A list of regex patterns that will match against the incoming event. If matched, then that event will be excluded from the auto-verifier.

```javascript
verifyExcludes : [ "stripe\.", "logout" ],
```

### RotationTimeout

All csrf tokens have a life span of 30 minutes.  But you can control how long they live with this setting.

```javascript
rotationTimeout : 60,
```

### EnableEndpoint

This setting enables the `GET /cbcsrf/generate` endpoint to generate csrf tokens for secured users.  You can use this endpoint to generate user tokens via AJAX or UI-only applications. Please note that you can pass an optional `/:key` URL parameter that will generate the token for that specific key.

{% hint style="danger" %}
**IMPORTANT:** This endpoint is secured via a `secured` annotation, so make sure the firewall has annotation-driven rules enabled.
{% endhint %}

### CacheStorage

The WireBox ID to use for storing the tokens.  The default is the `CacheStorage@cbstorages` object.  However, you can use any ColdBox storage or your own as long as it matches the CBStorages API: <https://forgebox.io/view/cbstorages>.

```javascript
cacheStorage : "SessionStorage@cbstorages"
```

### EnableAuthTokenRotator

This setting is enabled by default and what it does is that it will rotate a user's secret keys when they login/logout via any authentication service registered with CBSecurity.

```javascript
enableAuthTokenRotator : false
```


---

# Agent Instructions
This documentation is published with GitBook. GitBook is the documentation platform designed so that both humans and AI agents can read, navigate, and reason over technical content effectively. Learn more at gitbook.com.

## Querying This Documentation
If you need additional information that is not directly available in this page, you can query the documentation dynamically by asking a question.

Perform an HTTP GET request on the current page URL with the `ask` query parameter, and the optional `goal` query parameter:

```
GET https://coldbox-security.ortusbooks.com/getting-started/configuration/csrf.md?ask=<question>&goal=<endgoal>
```

`ask` is the immediate question: it should be specific, self-contained, and written in natural language.
`goal` is optional and describes the broader end goal you are ultimately trying to accomplish on behalf of the user. GitBook uses it to tailor the answer towards what is most useful for that goal.

The response will contain a direct answer to the question and relevant excerpts and sources from the documentation.

Use this mechanism when the answer is not explicitly present in the current page, you need clarification or additional context, or you want to retrieve related documentation sections.