lusca
lusca copied to clipboard
krakenjs
Secure csrf
You can drop a hidden element on the page with your created csrf similar to this kraken example
Be sure that you have a session to hold onto the secret for validation purposes.
Flow:
- Incoming non-safe http verb with csrf header
- parse request
- lusca middleware finds
_csrfand uses secret from session to validate_csrf
@shaunwarman I use csrf in cookie :) not in html :) with param angular true in lusca settings
I use node.js in apache (proxy). I want to set XSRF-TOKEN with flag security true (obvious use https :D) Session is set with security true but csrf can't set directly from lusca only If I overwrite res.cookie because from lusca when set xsrf, cookie is not set with options.secure = true;
You can see here https://github.com/krakenjs/lusca/blob/master/lib/csrf.js at line 49 (res.cookie(cookie, token);)
I'm forwarding ssl details from apache at node, node knows that site is on https (ssl is set from apache conf)). I set in express-session at cookie section secure= true;
I managed to set csrf with security=true only if I overwritten res.cookie (when options.secure true is not set I set automatically to true if https is active) but I don't like this...
I don't understand what I omitted..
I'm facing the same issue and as I see, there's no way to set the cookie as secure or HTTP only but to overwrite it.
This is because the CSRF configuration doesn't accept options for the cookie.
https://expressjs.com/en/api.html#res.cookie
Opened a pull request with a possible solution: https://github.com/krakenjs/lusca/pull/104