Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

Delimiter and http only support #79

Merged
merged 3 commits into from
Nov 25, 2024
Merged

Delimiter and http only support #79

merged 3 commits into from
Nov 25, 2024

Conversation

psibean
Copy link
Contributor

@psibean psibean commented Nov 25, 2024

Since the v4 major version release is taking a bit longer than I'd expected, here's a slight update for v3, no breaking changes.

@psibean psibean changed the base branch from main to v3.x.x November 25, 2024 11:13
@psibean psibean force-pushed the delimiter-and-http-only-support branch from 4939872 to 6d1e87b Compare November 25, 2024 11:15
@psibean
feat: support custom delimiter for cookie value separation
5db63c3 
When storing the value in the cookie both the non-hashed token and the
hashed token are concatenated together separated by a delimiter. This
is so that stateless re-use of the token value can be supported.

Previously the delimiter was hardcoded to a '|' character, this can now
be overridden via the delimiter configuration option.
@psibean
feat: re-allow httpOnly override
c5ba5d0 
Technically there's nothing wrong with disabling the httpOnly option
for the csrf cookie. It's a valid way for the frontend to also extract
the token value to then include it in a header or request body, many
other CSRF solutions allow this.

Due to some controversial discussions around a particular use case
where Twitter had a CSRF vulnerability from a vulnerable subdomain. The
httpOnly option being set to true could have mitigated the vulnerability
in that particular case. Because of this, csrf-csrf enforced a httpOnly
flag of true. However, it should be up to the developer to determine
the risk involved and whether or not that's the implementation they
want to use.

csrf-csrf will default to httpOnly true and will continue to recommend
keeping it as true, but will not restrict the choice to balance their
security as they feel fit.
@psibean
chore: documentation clarifications
dd8d51c
@psibean psibean force-pushed the delimiter-and-http-only-support branch from 6d1e87b to dd8d51c Compare November 25, 2024 11:22
@psibean psibean merged commit 5001793 into v3.x.x Nov 25, 2024
7 checks passed
@psibean psibean mentioned this pull request Dec 9, 2024
Closed
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Reviewers
No reviews
Assignees
No one assigned
Labels
None yet
Projects
None yet
Milestone
No milestone
Development

Successfully merging this pull request may close these issues.
1 participant
@psibean