Forem: krishnadaspc The latest articles on Forem by krishnadaspc (@pckrishnadas88). https://forem.com/pckrishnadas88 https://media2.dev.to/dynamic/image/width=90,height=90,fit=cover,gravity=auto,format=auto/https:%2F%2Fdev-to-uploads.s3.amazonaws.com%2Fuploads%2Fuser%2Fprofile_image%2F335468%2Fd42d8ef5-ce84-4ef1-93ca-c17acdb39c43.jpg Forem: krishnadaspc https://forem.com/pckrishnadas88 en Part 1: Taming Asynchronous JavaScript: How to Build a "Mailbox" Queue krishnadaspc Sat, 23 May 2026 10:13:18 +0000 https://forem.com/pckrishnadas88/part-1-taming-asynchronous-javascript-how-to-build-a-mailbox-queue-2jok https://forem.com/pckrishnadas88/part-1-taming-asynchronous-javascript-how-to-build-a-mailbox-queue-2jok <p>Have you ever tried to catch water from a fire hydrant with a paper cup?</p> <p>That is exactly what it feels like when you are building a JavaScript app and data starts coming in way faster than your code can process it. Maybe you are handling a flood of incoming webhooks, reading a massive file, or listening to a busy WebSocket.</p> <p>If your data sender is faster than your data receiver, things break.</p> <p>What you need is a waiting room. A place where incoming data can chill out until your app is ready to handle it. In computer science, this is called a "Queue" or a "Channel." Today, we are going to build one from scratch. Let's call it our Mailbox.</p> <p>The Idea Behind the Mailbox<br> Think of a literal physical mailbox.</p> <p>The Mail Carrier (The Producer): Drops letters into the box. They don't care if you are home; they just drop the mail and leave.</p> <p>You (The Consumer): You check the mailbox. If there is mail, you take it. If the box is empty, you just wait until the mail carrier shows up.</p> <p>We can recreate this exact relationship in JavaScript using Promises. Here is the code. It might look a little magical at first, but we will break it down right after!<br> </p> <div class="highlight js-code-highlight"> <pre class="highlight javascript"><code><span class="k">export</span> <span class="kd">class</span> <span class="nc">Mailbox</span> <span class="p">{</span> <span class="nf">constructor</span><span class="p">()</span> <span class="p">{</span> <span class="k">this</span><span class="p">.</span><span class="nx">messages</span> <span class="o">=</span> <span class="p">[]</span> <span class="k">this</span><span class="p">.</span><span class="nx">waiters</span> <span class="o">=</span> <span class="p">[]</span> <span class="k">this</span><span class="p">.</span><span class="nx">closed</span> <span class="o">=</span> <span class="kc">false</span> <span class="p">}</span> <span class="nf">push</span><span class="p">(</span><span class="nx">message</span><span class="p">)</span> <span class="p">{</span> <span class="k">if </span><span class="p">(</span><span class="k">this</span><span class="p">.</span><span class="nx">closed</span><span class="p">)</span> <span class="p">{</span> <span class="k">throw</span> <span class="k">new</span> <span class="nc">Error</span><span class="p">(</span><span class="dl">"</span><span class="s2">Mailbox is closed</span><span class="dl">"</span><span class="p">)</span> <span class="p">}</span> <span class="c1">// Deliver directly to waiting consumer</span> <span class="k">if </span><span class="p">(</span><span class="k">this</span><span class="p">.</span><span class="nx">waiters</span><span class="p">.</span><span class="nx">length</span> <span class="o">&gt;</span> <span class="mi">0</span><span class="p">)</span> <span class="p">{</span> <span class="kd">const</span> <span class="nx">resolve</span> <span class="o">=</span> <span class="k">this</span><span class="p">.</span><span class="nx">waiters</span><span class="p">.</span><span class="nf">shift</span><span class="p">()</span> <span class="nf">resolve</span><span class="p">(</span><span class="nx">message</span><span class="p">)</span> <span class="k">return</span> <span class="p">}</span> <span class="k">this</span><span class="p">.</span><span class="nx">messages</span><span class="p">.</span><span class="nf">push</span><span class="p">(</span><span class="nx">message</span><span class="p">)</span> <span class="p">}</span> <span class="k">async</span> <span class="nf">pop</span><span class="p">()</span> <span class="p">{</span> <span class="c1">// Message already available</span> <span class="k">if </span><span class="p">(</span><span class="k">this</span><span class="p">.</span><span class="nx">messages</span><span class="p">.</span><span class="nx">length</span> <span class="o">&gt;</span> <span class="mi">0</span><span class="p">)</span> <span class="p">{</span> <span class="k">return</span> <span class="k">this</span><span class="p">.</span><span class="nx">messages</span><span class="p">.</span><span class="nf">shift</span><span class="p">()</span> <span class="p">}</span> <span class="c1">// Closed mailbox</span> <span class="k">if </span><span class="p">(</span><span class="k">this</span><span class="p">.</span><span class="nx">closed</span><span class="p">)</span> <span class="p">{</span> <span class="k">return</span> <span class="kc">null</span> <span class="p">}</span> <span class="c1">// Wait for future message</span> <span class="k">return</span> <span class="k">new</span> <span class="nc">Promise</span><span class="p">((</span><span class="nx">resolve</span><span class="p">)</span> <span class="o">=&gt;</span> <span class="p">{</span> <span class="k">this</span><span class="p">.</span><span class="nx">waiters</span><span class="p">.</span><span class="nf">push</span><span class="p">(</span><span class="nx">resolve</span><span class="p">)</span> <span class="p">})</span> <span class="p">}</span> <span class="nf">close</span><span class="p">()</span> <span class="p">{</span> <span class="k">this</span><span class="p">.</span><span class="nx">closed</span> <span class="o">=</span> <span class="kc">true</span> <span class="c1">// Wake all waiting consumers</span> <span class="k">while </span><span class="p">(</span><span class="k">this</span><span class="p">.</span><span class="nx">waiters</span><span class="p">.</span><span class="nx">length</span> <span class="o">&gt;</span> <span class="mi">0</span><span class="p">)</span> <span class="p">{</span> <span class="kd">const</span> <span class="nx">resolve</span> <span class="o">=</span> <span class="k">this</span><span class="p">.</span><span class="nx">waiters</span><span class="p">.</span><span class="nf">shift</span><span class="p">()</span> <span class="nf">resolve</span><span class="p">(</span><span class="kc">null</span><span class="p">)</span> <span class="p">}</span> <span class="p">}</span> <span class="kd">get</span> <span class="nf">size</span><span class="p">()</span> <span class="p">{</span> <span class="k">return</span> <span class="k">this</span><span class="p">.</span><span class="nx">messages</span><span class="p">.</span><span class="nx">length</span> <span class="p">}</span> <span class="k">async</span> <span class="o">*</span><span class="p">[</span><span class="nb">Symbol</span><span class="p">.</span><span class="nx">asyncIterator</span><span class="p">]()</span> <span class="p">{</span> <span class="k">while </span><span class="p">(</span><span class="kc">true</span><span class="p">)</span> <span class="p">{</span> <span class="kd">const</span> <span class="nx">msg</span> <span class="o">=</span> <span class="k">await</span> <span class="k">this</span><span class="p">.</span><span class="nf">pop</span><span class="p">()</span> <span class="k">if </span><span class="p">(</span><span class="nx">msg</span> <span class="o">===</span> <span class="kc">null</span><span class="p">)</span> <span class="p">{</span> <span class="k">break</span> <span class="p">}</span> <span class="k">yield</span> <span class="nx">msg</span> <span class="p">}</span> <span class="p">}</span> <span class="p">}</span> </code></pre> </div> <h2> The "Aha!" Moment: Pausing JavaScript </h2> <p>The coolest part of this code is inside the <strong><em>pop()</em></strong> method.</p> <p>Usually, when we use a Promise in JavaScript, it's for something like <em><strong>fetch()</strong></em></p> <p>You make a request, and eventually, it resolves.</p> <p>But here, we are doing something sneaky. If the mailbox is empty, we create a new Promise, but we take its resolve function and shove it into our <strong>this.waiters</strong> array. We are essentially bottling up the ability to finish the Promise for later.</p> <p>Your code effectively pauses. It just sits there, waiting.</p> <p>Then, when the <strong><em>push()</em></strong> method gets called, it looks inside this.waiters, pulls out that bottled-up resolve function, and triggers it with the new message. Boom! Your paused code instantly wakes up with the data.</p> <h2> How to Use It </h2> <p>Because we added that weird looking <strong>[Symbol.asyncIterator]</strong> at the bottom of the class, using our Mailbox is beautifully simple:<br> </p> <div class="highlight js-code-highlight"> <pre class="highlight javascript"><code><span class="kd">const</span> <span class="nx">mailbox</span> <span class="o">=</span> <span class="k">new</span> <span class="nc">Mailbox</span><span class="p">();</span> <span class="c1">// 1. You: waiting for mail</span> <span class="k">async</span> <span class="kd">function</span> <span class="nf">readMail</span><span class="p">()</span> <span class="p">{</span> <span class="c1">// This loop will naturally pause and wait for new messages!</span> <span class="k">for</span> <span class="k">await </span><span class="p">(</span><span class="kd">const</span> <span class="nx">msg</span> <span class="k">of</span> <span class="nx">mailbox</span><span class="p">)</span> <span class="p">{</span> <span class="nx">console</span><span class="p">.</span><span class="nf">log</span><span class="p">(</span><span class="dl">"</span><span class="s2">Just got:</span><span class="dl">"</span><span class="p">,</span> <span class="nx">msg</span><span class="p">);</span> <span class="p">}</span> <span class="nx">console</span><span class="p">.</span><span class="nf">log</span><span class="p">(</span><span class="dl">"</span><span class="s2">No more mail coming!</span><span class="dl">"</span><span class="p">);</span> <span class="p">}</span> <span class="nf">readMail</span><span class="p">();</span> <span class="c1">// 2. The Mail Carrier: dropping off mail at random times</span> <span class="nx">mailbox</span><span class="p">.</span><span class="nf">push</span><span class="p">(</span><span class="dl">"</span><span class="s2">Letter 1</span><span class="dl">"</span><span class="p">);</span> <span class="nf">setTimeout</span><span class="p">(()</span> <span class="o">=&gt;</span> <span class="nx">mailbox</span><span class="p">.</span><span class="nf">push</span><span class="p">(</span><span class="dl">"</span><span class="s2">Letter 2</span><span class="dl">"</span><span class="p">),</span> <span class="mi">1000</span><span class="p">);</span> <span class="nf">setTimeout</span><span class="p">(()</span> <span class="o">=&gt;</span> <span class="nx">mailbox</span><span class="p">.</span><span class="nf">close</span><span class="p">(),</span> <span class="mi">2000</span><span class="p">);</span> </code></pre> </div> <p>This setup works flawlessly for everyday tasks. But there is a hidden monster in this code.</p> <p>If you get too popular—say, someone drops 1,000,000 letters into your mailbox at once—this exact code will completely freeze your server for minutes. In Part 2, we are going to find out exactly why JavaScript hates huge arrays, and how to fix our Mailbox to handle millions of messages in a fraction of a second.</p> <p>The link to the repo of full source code of this: <a href="https://github.com/pckrishnadas88/mailbox" rel="noopener noreferrer">https://github.com/pckrishnadas88/mailbox</a></p> distributedsystems node web javascript How CSRF Token protects your web application krishnadaspc Mon, 20 Sep 2021 08:48:54 +0000 https://forem.com/pckrishnadas88/how-csrf-token-protects-your-web-application-5cad https://forem.com/pckrishnadas88/how-csrf-token-protects-your-web-application-5cad <p>We are going to look how CSRF tokens works in a real node express application and how it protects the app from cross site request forgery. If you would like to see the video version of this post you can watch it here.<br> <a href="https://www.youtube.com/watch?v=l3CC4mPGFmw" rel="noopener noreferrer">Watch video here</a></p> <h1> What is cross site request forgery? </h1> <p>When a web server is receives a request from a client without any mechanism for verifying that it was intentionally sent, then it might be possible for a hacker to send requests to the web server which will be treated as a genuine request. This can be done via a Form submit, URL, image load, XMLHttpRequest, etc. and can result in data breach or unintended code execution. In this post we are going to explain a form submit kind of attack and how CSRF tokens prevents this.</p> <h2> Code set up </h2> <p>There are two fresh express applications running. One is running on port <code>3000</code> which is <strong>App1</strong> and another is running on port <code>5000</code> which is <strong>App2</strong>. Both of these applications are created using the express generator. </p> <h2> App1 Code snippets </h2> <p>Install the npm <code>csurf</code></p> <p>Enable the csrf middleware for the application in <code>app.js</code><br> </p> <div class="highlight js-code-highlight"> <pre class="highlight javascript"><code><span class="kd">var</span> <span class="nx">csrf</span> <span class="o">=</span> <span class="nf">require</span><span class="p">(</span><span class="dl">'</span><span class="s1">csurf</span><span class="dl">'</span><span class="p">)</span> <span class="c1">// setup route middlewares</span> <span class="nx">app</span><span class="p">.</span><span class="nf">use</span><span class="p">(</span><span class="nf">cookieParser</span><span class="p">(</span><span class="dl">'</span><span class="s1">fsgdesgsdYYFCCXXX</span><span class="dl">'</span><span class="p">));</span> <span class="nx">app</span><span class="p">.</span><span class="nf">use</span><span class="p">(</span><span class="nf">csrf</span><span class="p">({</span> <span class="na">cookie</span><span class="p">:</span> <span class="kc">true</span> <span class="p">}))</span> </code></pre> </div> <p>Setting up the routes for the App1. Code from <code>routes/index.js</code><br> </p> <div class="highlight js-code-highlight"> <pre class="highlight javascript"><code><span class="kd">var</span> <span class="nx">express</span> <span class="o">=</span> <span class="nf">require</span><span class="p">(</span><span class="dl">'</span><span class="s1">express</span><span class="dl">'</span><span class="p">);</span> <span class="kd">var</span> <span class="nx">router</span> <span class="o">=</span> <span class="nx">express</span><span class="p">.</span><span class="nc">Router</span><span class="p">();</span> <span class="cm">/* GET home page. */</span> <span class="nx">router</span><span class="p">.</span><span class="nf">get</span><span class="p">(</span><span class="dl">'</span><span class="s1">/</span><span class="dl">'</span><span class="p">,</span> <span class="kd">function</span><span class="p">(</span><span class="nx">req</span><span class="p">,</span> <span class="nx">res</span><span class="p">,</span> <span class="nx">next</span><span class="p">)</span> <span class="p">{</span> <span class="nx">res</span><span class="p">.</span><span class="nf">render</span><span class="p">(</span><span class="dl">'</span><span class="s1">index</span><span class="dl">'</span><span class="p">,</span> <span class="p">{</span> <span class="na">title</span><span class="p">:</span> <span class="dl">"</span><span class="s2">App1, CSRF Demo</span><span class="dl">"</span><span class="p">,</span> <span class="na">csrfToken</span><span class="p">:</span> <span class="nx">req</span><span class="p">.</span><span class="nf">csrfToken</span><span class="p">()</span> <span class="p">})</span> <span class="p">});</span> <span class="nx">router</span><span class="p">.</span><span class="nf">post</span><span class="p">(</span><span class="dl">'</span><span class="s1">/process</span><span class="dl">'</span><span class="p">,</span> <span class="nf">function </span><span class="p">(</span><span class="nx">req</span><span class="p">,</span> <span class="nx">res</span><span class="p">)</span> <span class="p">{</span> <span class="nx">res</span><span class="p">.</span><span class="nf">send</span><span class="p">(</span><span class="dl">'</span><span class="s1">csrf is valid, data is being processed</span><span class="dl">'</span><span class="p">)</span> <span class="p">})</span> </code></pre> </div> <p>In the above code we are generating the <code>csrfToken</code> and passing it to the view where we load our form with <code>csrfToken: req.csrfToken()</code></p> <p>In the view we use handlebars as our templating engine and csrf token is added as a hidden input field.<br> </p> <div class="highlight js-code-highlight"> <pre class="highlight html"><code><span class="nt">&lt;h1&gt;</span>{{title}}<span class="nt">&lt;/h1&gt;</span> <span class="nt">&lt;p&gt;</span>Welcome to {{title}}<span class="nt">&lt;/p&gt;</span> <span class="nt">&lt;form</span> <span class="na">action=</span><span class="s">"/process"</span> <span class="na">method=</span><span class="s">"POST"</span><span class="nt">&gt;</span> <span class="nt">&lt;input</span> <span class="na">type=</span><span class="s">"hidden"</span> <span class="na">name=</span><span class="s">"_csrf"</span> <span class="na">value=</span><span class="s">"{{csrfToken}}"</span><span class="nt">&gt;</span> name: <span class="nt">&lt;input</span> <span class="na">type=</span><span class="s">"text"</span> <span class="na">name=</span><span class="s">"name"</span><span class="nt">&gt;</span> <span class="nt">&lt;button</span> <span class="na">type=</span><span class="s">"submit"</span><span class="nt">&gt;</span>Submit<span class="nt">&lt;/button&gt;</span> <span class="nt">&lt;/form&gt;</span> </code></pre> </div> <p>When we start the <strong>App1</strong> we can see a form loaded with the generated csrf token if you check the html view source of the page.<br> <a href="https://media.dev.to/dynamic/image/width=800%2Cheight=%2Cfit=scale-down%2Cgravity=auto%2Cformat=auto/https%3A%2F%2Fdev-to-uploads.s3.amazonaws.com%2Fuploads%2Farticles%2Fytq4yloi4sobzs0wc9vg.png" class="article-body-image-wrapper"><img src="https://media.dev.to/dynamic/image/width=800%2Cheight=%2Cfit=scale-down%2Cgravity=auto%2Cformat=auto/https%3A%2F%2Fdev-to-uploads.s3.amazonaws.com%2Fuploads%2Farticles%2Fytq4yloi4sobzs0wc9vg.png" alt="Alt Text"></a></p> <p><a href="https://media.dev.to/dynamic/image/width=800%2Cheight=%2Cfit=scale-down%2Cgravity=auto%2Cformat=auto/https%3A%2F%2Fdev-to-uploads.s3.amazonaws.com%2Fuploads%2Farticles%2F5b3jdvrpzk2fuvxb64pj.png" class="article-body-image-wrapper"><img src="https://media.dev.to/dynamic/image/width=800%2Cheight=%2Cfit=scale-down%2Cgravity=auto%2Cformat=auto/https%3A%2F%2Fdev-to-uploads.s3.amazonaws.com%2Fuploads%2Farticles%2F5b3jdvrpzk2fuvxb64pj.png" alt="Alt Text"></a></p> <p>and submit the form with some data. You can see this result as <code>csrf token</code> is validated and correct.<br> <a href="https://media.dev.to/dynamic/image/width=800%2Cheight=%2Cfit=scale-down%2Cgravity=auto%2Cformat=auto/https%3A%2F%2Fdev-to-uploads.s3.amazonaws.com%2Fuploads%2Farticles%2Fharpuqw246qqlinmzilo.png" class="article-body-image-wrapper"><img src="https://media.dev.to/dynamic/image/width=800%2Cheight=%2Cfit=scale-down%2Cgravity=auto%2Cformat=auto/https%3A%2F%2Fdev-to-uploads.s3.amazonaws.com%2Fuploads%2Farticles%2Fharpuqw246qqlinmzilo.png" alt="Alt Text"></a></p> <h1> How token protects the app? </h1> <p>Now let's remove the token generation and see how this CSRF middle-ware protects our application. Change the code in <code>app1/routes/index.js</code> like this. Now we pass <code>csrf</code> as an empty string.<br> </p> <div class="highlight js-code-highlight"> <pre class="highlight javascript"><code><span class="cm">/* GET home page. */</span> <span class="nx">router</span><span class="p">.</span><span class="nf">get</span><span class="p">(</span><span class="dl">'</span><span class="s1">/</span><span class="dl">'</span><span class="p">,</span> <span class="kd">function</span><span class="p">(</span><span class="nx">req</span><span class="p">,</span> <span class="nx">res</span><span class="p">,</span> <span class="nx">next</span><span class="p">)</span> <span class="p">{</span> <span class="nx">res</span><span class="p">.</span><span class="nf">render</span><span class="p">(</span><span class="dl">'</span><span class="s1">index</span><span class="dl">'</span><span class="p">,</span> <span class="p">{</span> <span class="na">title</span><span class="p">:</span> <span class="dl">"</span><span class="s2">App1, CSRF Demo</span><span class="dl">"</span><span class="p">,</span> <span class="na">csrfToken</span><span class="p">:</span> <span class="dl">''</span> <span class="p">})</span> <span class="p">});</span> </code></pre> </div> <p>Now if you submit the form you will get an error message like this.<br> <a href="https://media.dev.to/dynamic/image/width=800%2Cheight=%2Cfit=scale-down%2Cgravity=auto%2Cformat=auto/https%3A%2F%2Fdev-to-uploads.s3.amazonaws.com%2Fuploads%2Farticles%2Fu5qxl7k09201q4rjhzv3.png" class="article-body-image-wrapper"><img src="https://media.dev.to/dynamic/image/width=800%2Cheight=%2Cfit=scale-down%2Cgravity=auto%2Cformat=auto/https%3A%2F%2Fdev-to-uploads.s3.amazonaws.com%2Fuploads%2Farticles%2Fu5qxl7k09201q4rjhzv3.png" alt="Alt Text"></a></p> <p>Now server rejects the request as it cannot find a valid token in the request and now we are protected from such kind of attacks.</p> <h1> Attack request from App2 </h1> <p>Now let's mimic an attack from another domain/application. In this example which is <strong>App2</strong></p> <p>For the time being just disable the <code>csrf</code> middleware in <strong>App1</strong>. Comment these lines in <code>app1/app.js</code><br> </p> <div class="highlight js-code-highlight"> <pre class="highlight javascript"><code><span class="c1">// app.use(csrf({ cookie: true }))</span> </code></pre> </div> <p>In <strong>App2</strong> home route we also have the same form but the form submit action is the url of <strong>App1</strong><br> </p> <div class="highlight js-code-highlight"> <pre class="highlight html"><code><span class="nt">&lt;h1&gt;</span>{{title}}<span class="nt">&lt;/h1&gt;</span> <span class="nt">&lt;p&gt;</span>Welcome to {{title}}<span class="nt">&lt;/p&gt;</span> <span class="nt">&lt;form</span> <span class="na">action=</span><span class="s">"http://localhost:3000/process"</span> <span class="na">method=</span><span class="s">"POST"</span><span class="nt">&gt;</span> name: <span class="nt">&lt;input</span> <span class="na">type=</span><span class="s">"text"</span> <span class="na">name=</span><span class="s">"name"</span><span class="nt">&gt;</span> <span class="nt">&lt;button</span> <span class="na">type=</span><span class="s">"submit"</span><span class="nt">&gt;</span>Submit<span class="nt">&lt;/button&gt;</span> <span class="nt">&lt;/form&gt;</span> </code></pre> </div> <p>Start the server <strong>App2</strong> which is running on port 5000. You can see the form but now when you submit the form it is accepted as <strong>App1</strong> currently do not have CSRF middleware enabled.</p> <p><a href="https://media.dev.to/dynamic/image/width=800%2Cheight=%2Cfit=scale-down%2Cgravity=auto%2Cformat=auto/https%3A%2F%2Fdev-to-uploads.s3.amazonaws.com%2Fuploads%2Farticles%2F4de40i6iaq5672hpcpx1.png" class="article-body-image-wrapper"><img src="https://media.dev.to/dynamic/image/width=800%2Cheight=%2Cfit=scale-down%2Cgravity=auto%2Cformat=auto/https%3A%2F%2Fdev-to-uploads.s3.amazonaws.com%2Fuploads%2Farticles%2F4de40i6iaq5672hpcpx1.png" alt="Alt Text"></a></p> <p><a href="https://media.dev.to/dynamic/image/width=800%2Cheight=%2Cfit=scale-down%2Cgravity=auto%2Cformat=auto/https%3A%2F%2Fdev-to-uploads.s3.amazonaws.com%2Fuploads%2Farticles%2F351hne14b1ivpivvi0bx.png" class="article-body-image-wrapper"><img src="https://media.dev.to/dynamic/image/width=800%2Cheight=%2Cfit=scale-down%2Cgravity=auto%2Cformat=auto/https%3A%2F%2Fdev-to-uploads.s3.amazonaws.com%2Fuploads%2Farticles%2F351hne14b1ivpivvi0bx.png" alt="Alt Text"></a></p> <p>Now just re enable our <code>csrf</code> middleware in <strong>App1</strong>. Un comment this line<br> </p> <div class="highlight js-code-highlight"> <pre class="highlight javascript"><code><span class="nx">app</span><span class="p">.</span><span class="nf">use</span><span class="p">(</span><span class="nf">csrf</span><span class="p">({</span> <span class="na">cookie</span><span class="p">:</span> <span class="kc">true</span> <span class="p">}))</span> </code></pre> </div> <p>And now when you submit the form from <strong>App2</strong> you will get this error page only. So we are now protected.<br> <a href="https://media.dev.to/dynamic/image/width=800%2Cheight=%2Cfit=scale-down%2Cgravity=auto%2Cformat=auto/https%3A%2F%2Fdev-to-uploads.s3.amazonaws.com%2Fuploads%2Farticles%2Fj3deyg1yqeturygr8vhm.png" class="article-body-image-wrapper"><img src="https://media.dev.to/dynamic/image/width=800%2Cheight=%2Cfit=scale-down%2Cgravity=auto%2Cformat=auto/https%3A%2F%2Fdev-to-uploads.s3.amazonaws.com%2Fuploads%2Farticles%2Fj3deyg1yqeturygr8vhm.png" alt="Alt Text"></a></p> <p>That's how a CSRF token protects in a real application. You can find the full source code here <a href="https://github.com/pcktuts/csrf-demo-express-js" rel="noopener noreferrer">Github Code Link</a></p> <p>You can follow me on my twitter here <a href="https://twitter.com/pckrishnadas88" rel="noopener noreferrer">KrishnadasPC</a></p> node express security