npm package discovery and stats viewer.

Discover Tips

  • General search

    [free text search, go nuts!]

  • Package details

    pkg:[package-name]

  • User packages

    @[username]

Sponsor

Optimize Toolset

I’ve always been into building performant and accessible sites, but lately I’ve been taking it extremely seriously. So much so that I’ve been building a tool to help me optimize and monitor the sites that I build to make sure that I’m making an attempt to offer the best experience to those who visit them. If you’re into performant, accessible and SEO friendly sites, you might like it too! You can check it out at Optimize Toolset.

About

Hi, 👋, I’m Ryan Hefner  and I built this site for me, and you! The goal of this site was to provide an easy way for me to check the stats on my npm packages, both for prioritizing issues and updates, and to give me a little kick in the pants to keep up on stuff.

As I was building it, I realized that I was actually using the tool to build the tool, and figured I might as well put this out there and hopefully others will find it to be a fast and useful way to search and browse npm packages as I have.

If you’re interested in other things I’m working on, follow me on Twitter or check out the open source projects I’ve been publishing on GitHub.

I am also working on a Twitter bot for this site to tweet the most popular, newest, random packages from npm. Please follow that account now and it will start sending out packages soon–ish.

Open Software & Tools

This site wouldn’t be possible without the immense generosity and tireless efforts from the people who make contributions to the world and share their work via open source initiatives. Thank you 🙏

© 2026 – Pkg Stats / Ryan Hefner

xsurf

v1.1.1

Published

A performant, zero-dependency utility for generating and validating CSRF tokens.

Vulnerabilities

Powered byPowered by Snyk
  • 0High
  • 0Medium
  • 0Low

Links

Git

Maintainers

danielhzhangdanielhzhang

Keywords

csrfcsrf tokenstypescript

Readme

xsurf

NPM Version Node.js Version NPM Downloads Node.js CI

A performant, zero-dependency Node.js utility for generating and validating CSRF tokens, written entirely in Typescript.

Token creation and verification logic is based on this specification.

Installation

Via npm:

npm i xsurf

Via yarn:

yarn add xsurf

Middlewares and plugins

Want to integrate CSRF protection middleware into your framework of choice? These middlewares use xsurf:

Usage API

createToken(length?: number)

Synchronously creates a CSRF token of the specified length (32 bytes by default) to be stored in a cookie and copied to the request header on the client.

const token = createToken();
request.setCookie('x-csrf-token', token);
// Create token with 64 bytes of random data
const token = createToken(64);

createTokenAsync(length?: number): Promise<string>

Asynchronous version of createToken(). Should only be used in niche scenarios because the underlying async crypto.randomBytes() call tends to sacrifice crypto ops/sec in favor of js ops/sec, leading to generally poorer performance.

async function handle() {
  const token = await createToken();
  // Do something with token
}

createChecksum(token: string, secret: string): string

Generate a checksum of the CSRF token using an HMAC SHA256 digest of the token and secret. This value should be stored in an httpOnly cookie and be used to verify incoming requests.

const secret = process.env.CSRF_SECRET;
const token = request.cookies['x-csrf-token'];
// Make checksum and store in a cookie
const checksum = createChecksum(token, secret);
request.setCookie('x-csrf-checksum', checksum);

verifyChecksum(token: string, checksum: string, secret: string): boolean

Verify the validity the provided token against the true checksum using a time-safe comparison. The provided token should originate from the HTTP request header while the checksum should be read from the httpOnly cookie.

const secret = process.env.CSRF_SECRET;
const headerToken = request.headers['x-csrf-token'];
// Validate the request header token by comparing its
// checksum to the true checksum stored in a cookie
const checksum = request.cookies['x-csrf-checksum'];
const valid = verifyChecksum(headerToken, checksum, secret);

License

MIT License