Merge pull request #961 from pano9000/fix-csrf-settings

fix(csrf): set more secure csrf related settings
2025-09-18 17:31:53 +08:00 · 2025-01-16 23:03:43 +02:00 · 2025-01-16 23:03:43 +02:00 · b2e1a3e97a
commit b2e1a3e97a
parent 283a12b0d5 5f605b3a91
2 changed files with 3 additions and 3 deletions
--- a/src/routes/csrf_protection.ts
+++ b/src/routes/csrf_protection.ts
@ -6,8 +6,8 @@ const doubleCsrfUtilities = doubleCsrf({
    cookieOptions: {
        path: "", // empty, so cookie is valid only for the current path
        secure: false,
-        sameSite: false,
-        httpOnly: false
+        sameSite: "strict",
+        httpOnly: true
    },
    cookieName: "_csrf"
 });
--- a/src/routes/index.ts
+++ b/src/routes/index.ts
@ -24,7 +24,7 @@ function index(req: Request, res: Response) {
    //'overwrite' set to false (default) => the existing token will be re-used and validated
    //'validateOnReuse' set to false => if validation fails, generate a new token instead of throwing an error
    const csrfToken = generateCsrfToken(req, res, false, false);
-    log.info(`Generated CSRF token ${csrfToken} with secret ${res.getHeader("set-cookie")}`);
+    log.info(`CSRF token generation: ${csrfToken ? "Successful" : "Failed"}`);

    // We force the page to not be cached since on mobile the CSRF token can be
    // broken when closing the browser and coming back in to the page.