Comments (4)
Pull request to add documentation welcome 👍
from csurf.
I took a look to just add it myself and it's already there in the README.
Since the request is to document it and it's already documented, I'm going to close the issue. If you would like it documented differently, that's OK and you can help us understand why you don't think it's currently documented and how it can be better (I usually suggest making a PR in this case, as usually that is the most straight forward way to get your thoughts across).
from csurf.
I guess you're referring to the last bullet, which sends the user to http://expressjs.com/en/4x/api.html#res.cookie
When set to an object, cookie storage of the secret is enabled and the object contains options for this functionality (when set to true, the defaults for the options are used). The options may contain any of the following keys:
- key - the name of the cookie to use to store the token secret (defaults to '_csrf').
- path - the path of the cookie (defaults to '/').
- any other res.cookie option can be set.
That's pretty indirect and obscure to me at least. One has to visit doc of expressjs, then click thru to cookie-parser
before knowing that req.secret
is the location. I'm trying to get a consent before raising a PR (i guess it's easy for anyone to do that)
p.s. path
is however in this README despite it's part of the "other res.cookie option"
from csurf.
You already have consent to make a PR to add whatever documentation you think would be helpful 👍 The only ones documented here directly and the ones in which the default values differ from res.cookie
(because this module contains code to override them). Since it just uses the same underlying code, it used to get out of sync constantly, so it just sends the users to a link, which is why it's that way currently, as a user make a PR suggesting that was better than a out-of-date copy-paste.
If you have thoughts / ideas on how it should be and if we're going to copy-and-paste parts of other documentation what the method will be to keep it updated over time I'm all ears 👍 the doc is the way that someone came by and suggested, and I don't care either way, haha. Whatever is most useful to folks.
from csurf.
Related Issues (20)
- Feature add 'Encrypted Token Pattern' HOT 3
- Add credentials warning to documentation HOT 7
- A way of getting csrfToken through POST request HOT 3
- Cannot validate CSRF token using the example code HOT 4
- Can docs clarify how cookie mode works? HOT 3
- Disable CSRF checking during tests HOT 1
- previous token still valid HOT 1
- Token Lifetime HOT 2
- Need docs and examples for working with single page application. HOT 3
- BREACH attack mitigation HOT 2
- No regeneration of secret when a valid token is submitted HOT 2
- A cookie secret is not really secret HOT 1
- Upgrade to [email protected] for SameSite=None support HOT 1
- Best practice for the csrf token and secret (signed? httponly?) HOT 1
- User's CSRF Token is invalid but doesn't look like so HOT 7
- New token secret with every request HOT 3
- Update docs to address situations with mixed protection approaches HOT 1
- How I can validate csrf token one time with only a request
- Failed on validation when using with 2 backends
Recommend Projects
-
React
A declarative, efficient, and flexible JavaScript library for building user interfaces.
-
Vue.js
🖖 Vue.js is a progressive, incrementally-adoptable JavaScript framework for building UI on the web.
-
Typescript
TypeScript is a superset of JavaScript that compiles to clean JavaScript output.
-
TensorFlow
An Open Source Machine Learning Framework for Everyone
-
Django
The Web framework for perfectionists with deadlines.
-
Laravel
A PHP framework for web artisans
-
D3
Bring data to life with SVG, Canvas and HTML. 📊📈🎉
-
Recommend Topics
-
javascript
JavaScript (JS) is a lightweight interpreted programming language with first-class functions.
-
web
Some thing interesting about web. New door for the world.
-
server
A server is a program made to process requests and deliver data to clients.
-
Machine learning
Machine learning is a way of modeling and interpreting data that allows a piece of software to respond intelligently.
-
Visualization
Some thing interesting about visualization, use data art
-
Game
Some thing interesting about game, make everyone happy.
Recommend Org
-
Facebook
We are working to build community through open source technology. NB: members must have two-factor auth.
-
Microsoft
Open source projects and samples from Microsoft.
-
Google
Google ❤️ Open Source for everyone.
-
Alibaba
Alibaba Open Source for everyone
-
D3
Data-Driven Documents codes.
-
Tencent
China tencent open source team.
from csurf.