Skip to content

Commit

Permalink
chore: documentation clarifications
Browse files Browse the repository at this point in the history
  • Loading branch information
psibean committed Nov 25, 2024
1 parent e6f2543 commit 5001793
Showing 1 changed file with 3 additions and 3 deletions.
6 changes: 3 additions & 3 deletions README.md
Original file line number Diff line number Diff line change
Expand Up @@ -65,7 +65,7 @@
<b>Do not</b> use the same secret for csrf-csrf and cookie-parser.
</li>
<li>
<b>Do not</b> transmit your CSRF token by cookies.
<b>Do not</b> use the cookie value within <code>getTokenFromRequest</code>>.
</li>
<li>
<b>Do not</b> expose your CSRF tokens or hash in any log output or transactions other than the CSRF exchange.
Expand Down Expand Up @@ -247,7 +247,7 @@ string;
<p><b>Optional:</b> The name of the httpOnly cookie that will be used to track CSRF protection. If you change this it is recommend that you continue to use the <code>__Host-</code> or <code>__Secure-</code> <a target="_blank" href="developer.mozilla.org/en-US/docs/Web/HTTP/Headers/Set-Cookie">security prefix</a>.</p>

<p><b>Change for development</b></p>

f
<p>The security prefix requires the secure flag to be true and requires requests to be received via HTTPS, unless you have your local instance running via HTTPS, you will need to change this value in your development environment.</p>

<h3>cookieOptions</h3>
Expand Down Expand Up @@ -316,7 +316,7 @@ string;
(req: Request) => req.headers["x-csrf-token"];
```

<p>This function should return the token sent by the frontend, the doubleCsrfProtection middleware will validate the value returned by this function against the value in the cookie.</p>
<p>This function should return the token sent by the frontend, either in the request body/payload, or from the `x-csrf-token` header. <b>Do NOT</b> return the value from the cookie in this function, this would be the same as having no csrf protection at all. The doubleCsrfProtection middleware will validate the value returned by this function against the value in the cookie.</p>

<h3>ignoredMethods</h3>

Expand Down

0 comments on commit 5001793

Please sign in to comment.