Tools/Notes
1
0
Fork 0
mirror of https://github.com/TriliumNext/Notes.git synced 2025-08-10 02:02:29 +08:00
Code Issues Packages Projects Releases Wiki Activity

fix(csrf): stop leaking the CSRF token in the server logs

Browse Source 
As per OWASP:
"A CSRF token must not be leaked in the server logs or in the URL.", see:
https://cheatsheetseries.owasp.org/cheatsheets/Cross-Site_Request_Forgery_Prevention_Cheat_Sheet.html#transmissing-csrf-tokens-in-synchronized-patterns
This commit is contained in:
Panagiotis Papadopoulos 2025-01-16 21:16:33 +01:00
parent 283a12b0d5
commit ec19ccd7a7
1 changed files with 1 additions and 1 deletions
Show Stats Download Patch File Download Diff File Expand all files Collapse all files

2
src/routes/index.ts
View File

@ -24,7 +24,7 @@ function index(req: Request, res: Response) {
//'overwrite' set to false (default) => the existing token will be re-used and validated
//'validateOnReuse' set to false => if validation fails, generate a new token instead of throwing an error
const csrfToken = generateCsrfToken(req, res, false, false);
log.info(`Generated CSRF token ${csrfToken} with secret ${res.getHeader("set-cookie")}`);
log.info(`CSRF token generation: ${csrfToken ? "Successful" : "Failed"}`);
// We force the page to not be cached since on mobile the CSRF token can be
// broken when closing the browser and coming back in to the page.