express-stormpath icon indicating copy to clipboard operation
express-stormpath copied to clipboard

Published 20 hours ago verified publisher icon stormpath

Implement CSRF strategy

Open robertjd opened this issue 10 years ago • 4 comments

Because we are storing authentication information in cookies, we need to implement a CSRF strategy for this module. Any middleware function which is using cookies to authenticate the request should assert that the request is coming from the same domain as the cookie.

robertjd avatar Oct 26 '15 19:10 robertjd

Can the access token be used as a csrf token? I came across the concept of double submit cookies. I'm using Angular on the client and its only a simple configuration to have Angular return the access token in the X-XSRF-TOKEN header and then on the server I can compare the cookie and header after the stormpath middleware.

Sounds simple but is it right?

stevebread avatar Feb 10 '16 03:02 stevebread

never mind, the access token is rightfully HttpOnly

stevebread avatar Feb 11 '16 16:02 stevebread

Hey @robertjd, is this still in the works? I found this during my google search for resources on how CSRF tokens are created and validated in express-stormpath

mdeggies avatar Aug 24 '16 20:08 mdeggies

This is probably going to come in the form of some suggested modules to use, not something that is built into this library.

robertjd avatar Aug 24 '16 21:08 robertjd