Testing CSRF Token Routes in Postman

Understanding CSRF Tokens

Before we dive into testing, let's understand what we're working with. Think of a CSRF token like a special wristband you get at an exclusive event. Just as the wristband proves you entered through the proper channels, a CSRF token proves your request is legitimate and comes from your application, not from a malicious source.

The Route We're Testing

Let's examine the route that generates and provides our CSRF token:


router.get("/api/csrf/restore", (req, res) => {
    // Generate a new CSRF token
    const csrfToken = req.csrfToken();
    
    // Set it as a cookie
    res.cookie("XSRF-TOKEN", csrfToken);
    
    // Also return it in the response body
    res.status(200).json({
        'XSRF-Token': csrfToken
    });
});

This route does three important things:

1. Generates a new CSRF token using Express's csrfToken() function

2. Sets the token as a cookie named "XSRF-TOKEN"

3. Returns the same token in the response body for easy access

Setting Up Postman

Testing CSRF protection requires proper Postman configuration. Think of this like setting up your testing environment in a laboratory - everything needs to be properly prepared for accurate results.

Step 1: Configure Postman Settings

First, we need to configure Postman to handle cookies properly:

1. Click the Settings icon (wrench/gear) in Postman

2. Look for the "General" tab

3. Ensure these settings are enabled:


[✓] Automatically follow redirects
[✓] Send cookies
[✓] Save cookies by default

Creating the Test Request

Now let's set up our request to test the CSRF token route.

Basic Request Configuration


Method: GET
URL: http://localhost:8000/api/csrf/restore
Headers: No special headers needed for this initial request

This is like knocking on the door to get your special access wristband - it's a simple request that initiates the security process.

Understanding the Response

When you send the request, you'll receive a response with several important components. Let's examine each part:

1. Response Body


{
    "XSRF-Token": "a1b2c3d4-e5f6-g7h8-i9j0-k1l2m3n4o5p6"
}

2. Cookies

In the Cookies tab, you should see:


Name: XSRF-TOKEN
Value: a1b2c3d4-e5f6-g7h8-i9j0-k1l2m3n4o5p6

3. Status Code

Status: 200 OK - Indicates successful token generation and delivery

Using the Token in Subsequent Requests

Now that we have our token, we can use it to make authenticated requests. This is like using your event wristband to access restricted areas.

Making a Protected POST Request


Method: POST
URL: http://localhost:8000/api/your-protected-route
Headers:
    Content-Type: application/json
    XSRF-TOKEN: <token-value-from-previous-response>
Body:
{
    "your": "data",
    "goes": "here"
}

Troubleshooting Common Issues

Missing or Invalid Token

If you receive a 403 Forbidden response, check:

1. That you copied the token correctly

2. That the token hasn't expired

3. That you're using the correct header name (XSRF-TOKEN)

Cookie Issues

If cookies aren't being saved:

1. Verify your Postman settings

2. Try clearing Postman's cookie store

3. Ensure your server is setting the cookie correctly

Best Practices

When testing CSRF protection, remember these key points:

1. Always verify both the cookie and the response body contain the token

2. Test the token with different types of requests (POST, PUT, DELETE)

3. Verify that requests without tokens are properly rejected

4. Document any special token handling requirements for your API