CSRF token lookup header

[proyb6]

I just realise there is a difference between cookie and header, what does header use case and if it's secure to rely on cookie:ccc?

TokenLookup:    "cookie:ccc",

TokenLookup:    "header:ccc",

I'm confuse how __HOST- which I read on the web, if it can be used in Echo? We need a tutorial.

[aldas]

I think you should search for CSRF explanation. This is help you understand how cookie and header/query parts work for CSRF flow.

But in very short and simple example (token in form): when you request form from server, the server will set token into cookie and serve you form that needs to be filled and of the fields (hidden) is also token. Now when you fill the form and submit the server will compare token in cookie to token in submitted form - if these do not match - the form submit errors out.

If you want to use __HOST prefix you need do configure cookie name with it;

			csrf := middleware.CSRFWithConfig(middleware.CSRFConfig{
				CookieName:  "__HOST-csrf",
			})

[proyb6]

Thank you! I will sure research in the future.