Comments (4)
As I wrote the above I realized that since the app wasn't actually running over SSL and Nodejitsu was doing the SSL termination I turned off secure cookies and all is well with Safari.
Now I'm wondering how Chrome was working! ???
from csurf.
Now I'm wondering how Chrome was working! ???
It's possible Chrome had a cookie in there from you but not marked secure (perhaps it got there at a time in your development before you added the secure flag?). If you clear your cookies in Chrome and try it without SSL like Safari was, perhaps it will show the same behavior :)
from csurf.
Thanks Doug. I also discovered proxy: true
in Express session. ;)
This works:
app.use(session({
secret: config.session.secret,
name: 'sessionId', // Use something generic so you don't leak information about your server
cookie: {
httpOnly: true, // Reduce XSS attack vector
proxy: true, // Trust the reverse proxy when setting secure cookies
secure: true, // Cookies via SSL
maxAge: config.session.maxAge
},
store: new MongoStore({
mongoose_connection: db,
auto_reconnect: true
})
}));
from csurf.
I also discovered proxy: true in Express session.
Ah yes. I guess it should really use express's helpers to get the protocol so it will use your "trust proxy"
setting from our express app directly instead of setting it multiple times.
from csurf.
Related Issues (20)
- Feature add 'Encrypted Token Pattern' HOT 3
- Add credentials warning to documentation HOT 7
- A way of getting csrfToken through POST request HOT 3
- Cannot validate CSRF token using the example code HOT 4
- Can docs clarify how cookie mode works? HOT 3
- please document the `signed` config option HOT 4
- Disable CSRF checking during tests HOT 1
- previous token still valid HOT 1
- Token Lifetime HOT 2
- Need docs and examples for working with single page application. HOT 3
- BREACH attack mitigation HOT 2
- No regeneration of secret when a valid token is submitted HOT 2
- A cookie secret is not really secret HOT 1
- Upgrade to [email protected] for SameSite=None support HOT 1
- Best practice for the csrf token and secret (signed? httponly?) HOT 1
- User's CSRF Token is invalid but doesn't look like so HOT 7
- New token secret with every request HOT 3
- Update docs to address situations with mixed protection approaches HOT 1
- How I can validate csrf token one time with only a request
- Failed on validation when using with 2 backends
Recommend Projects
-
React
A declarative, efficient, and flexible JavaScript library for building user interfaces.
-
Vue.js
🖖 Vue.js is a progressive, incrementally-adoptable JavaScript framework for building UI on the web.
-
Typescript
TypeScript is a superset of JavaScript that compiles to clean JavaScript output.
-
TensorFlow
An Open Source Machine Learning Framework for Everyone
-
Django
The Web framework for perfectionists with deadlines.
-
Laravel
A PHP framework for web artisans
-
D3
Bring data to life with SVG, Canvas and HTML. 📊📈🎉
-
Recommend Topics
-
javascript
JavaScript (JS) is a lightweight interpreted programming language with first-class functions.
-
web
Some thing interesting about web. New door for the world.
-
server
A server is a program made to process requests and deliver data to clients.
-
Machine learning
Machine learning is a way of modeling and interpreting data that allows a piece of software to respond intelligently.
-
Visualization
Some thing interesting about visualization, use data art
-
Game
Some thing interesting about game, make everyone happy.
Recommend Org
-
Facebook
We are working to build community through open source technology. NB: members must have two-factor auth.
-
Microsoft
Open source projects and samples from Microsoft.
-
Google
Google ❤️ Open Source for everyone.
-
Alibaba
Alibaba Open Source for everyone
-
D3
Data-Driven Documents codes.
-
Tencent
China tencent open source team.
from csurf.