From ec19ccd7a7287fbefdec306aae3266e79150b5c8 Mon Sep 17 00:00:00 2001
From: Panagiotis Papadopoulos <pano_90@gmx.net>
Date: Thu, 16 Jan 2025 21:16:33 +0100
Subject: [PATCH] fix(csrf): stop leaking the CSRF token in the server logs

As per OWASP:
"A CSRF token must not be leaked in the server logs or in the URL.", see:
https://cheatsheetseries.owasp.org/cheatsheets/Cross-Site_Request_Forgery_Prevention_Cheat_Sheet.html#transmissing-csrf-tokens-in-synchronized-patterns
---
 src/routes/index.ts | 2 +-
 1 file changed, 1 insertion(+), 1 deletion(-)

diff --git a/src/routes/index.ts b/src/routes/index.ts
index 18cbaf081..5996eddf0 100644
--- a/src/routes/index.ts
+++ b/src/routes/index.ts
@@ -24,7 +24,7 @@ function index(req: Request, res: Response) {
     //'overwrite' set to false (default) => the existing token will be re-used and validated
     //'validateOnReuse' set to false => if validation fails, generate a new token instead of throwing an error
     const csrfToken = generateCsrfToken(req, res, false, false);
-    log.info(`Generated CSRF token ${csrfToken} with secret ${res.getHeader("set-cookie")}`);
+    log.info(`CSRF token generation: ${csrfToken ? "Successful" : "Failed"}`);
 
     // We force the page to not be cached since on mobile the CSRF token can be
     // broken when closing the browser and coming back in to the page.