- It supports two algorithms out of the box:
- Synchronizer CSRF token with customizable token generation and storage. By default, it uses random data and session.
- HMAC based token with customizable identity generation. Uses session by default.
- It has ability to apply masking to CSRF token string to make BREACH attack impossible.
Extensive documentation is available.