Panagiotis Papadopoulos
|
b6d73df92e
|
feat(csrf_protection): use cookiePath from config
|
2025-02-10 19:03:10 +01:00 |
|
Panagiotis Papadopoulos
|
ca2bb94200
|
refactor(server/utils): isElectron - replace fn with boolean
this values cannot change during runtime,
=> there is no need to have these checks
as dynamic function, instead just
export the boolean value directly
|
2025-01-29 10:55:53 +01:00 |
|
Panagiotis Papadopoulos
|
9382c278b3
|
fix(csrf): add exception for electron for httpOnly cookie
it does not seem to like having httpOnly set in electron
|
2025-01-17 17:26:52 +01:00 |
|
Panagiotis Papadopoulos
|
5f605b3a91
|
fix(csrf): set more secure cookieOptions settings
- `sameSite` - previous setting inherited from csurf was to simply not set it at all, which makes all browser nag in their dev console output.
They will default to "Lax" for these type of cookies in the future.
We can even use "strict" here though for our use case:
https://developer.mozilla.org/en-US/docs/Web/HTTP/Headers/Set-Cookie#samesitesamesite-value
- `httpOnly`: should be enabled for the csrf cookie as well
for the session cookie it already is enabled.
https://developer.mozilla.org/en-US/docs/Web/HTTP/Headers/Set-Cookie#httponly
|
2025-01-16 21:40:12 +01:00 |
|
Panagiotis Papadopoulos
|
6dd8ab31d5
|
refactor(csrf): export generateToken utility
|
2025-01-16 20:14:23 +01:00 |
|
Panagiotis Papadopoulos
|
e3d89ce2a5
|
refactor(csrf): move csrf to own file
|
2025-01-16 20:14:23 +01:00 |
|