Form Patterns

Interactive forms with validation, CSRF protection, and flash messages baked in.

Try it out

Submit the form to see a real POST → flash cookie → redirect cycle. Try submitting with fewer than 3 characters in the name field.

How it works

1

CSRF Protection

Every mutating form includes a hidden _csrf token generated per-session using the synchronizer token pattern. Tokens are scoped to a specific HTTP method and path, then verified server-side before the action executes.

2

Validation

HTML5 attributes like required and minLength provide instant client-side feedback. The server re-validates every field so nothing slips through even if JS is disabled or the request is crafted manually.

3

Flash Messages

After a form submission the server sets an HMAC-signed cookie containing a one-time message. On the next page load the message is read, verified, and cleared — no session store required.