From 50017931e1ab233e56d296832cff7c85d6f5884c Mon Sep 17 00:00:00 2001 From: psibean Date: Mon, 25 Nov 2024 21:41:40 +1030 Subject: [PATCH] chore: documentation clarifications --- README.md | 6 +++--- 1 file changed, 3 insertions(+), 3 deletions(-) diff --git a/README.md b/README.md index b224337..b333a04 100644 --- a/README.md +++ b/README.md @@ -65,7 +65,7 @@ Do not use the same secret for csrf-csrf and cookie-parser.
  • - Do not transmit your CSRF token by cookies. + Do not use the cookie value within getTokenFromRequest>.
  • Do not expose your CSRF tokens or hash in any log output or transactions other than the CSRF exchange. @@ -247,7 +247,7 @@ string;

    Optional: The name of the httpOnly cookie that will be used to track CSRF protection. If you change this it is recommend that you continue to use the __Host- or __Secure- security prefix.

    Change for development

    - +f

    The security prefix requires the secure flag to be true and requires requests to be received via HTTPS, unless you have your local instance running via HTTPS, you will need to change this value in your development environment.

    cookieOptions

    @@ -316,7 +316,7 @@ string; (req: Request) => req.headers["x-csrf-token"]; ``` -

    This function should return the token sent by the frontend, the doubleCsrfProtection middleware will validate the value returned by this function against the value in the cookie.

    +

    This function should return the token sent by the frontend, either in the request body/payload, or from the `x-csrf-token` header. Do NOT return the value from the cookie in this function, this would be the same as having no csrf protection at all. The doubleCsrfProtection middleware will validate the value returned by this function against the value in the cookie.

    ignoredMethods