adon-at-work
commented
6 years ago not as a separate bullet point because signed itself is not a value introduced by this package
Closed adon-at-work closed 6 years ago
adon-at-work
commented
6 years ago not as a separate bullet point because signed itself is not a value introduced by this package
dougwilson
commented
6 years ago Makes sense :+1: Can you ellaborate on how it will harden security? For example signed will slow down all requests due to the new crypto operations incurred. Usually it simply prevents the client from manipulating thr value. What is the attack vector for the client manipulating this value in their own cookie?
dougwilson
commented
6 years ago 
dantman
commented
6 years ago dougwilson
commented
6 years ago adon-at-work
commented
6 years ago dougwilson
commented
6 years ago dougwilson
commented
6 years ago adon-at-work
commented
6 years ago dougwilson
commented
6 years ago Clicked wrong button.
adon-at-work
commented
6 years ago dougwilson
commented
6 years ago adon-at-work
commented
6 years ago dougwilson
commented
6 years ago Also, not sure what you mean, because those are '0'+'1' won't validate. How about if we're discussion security vulnerabilities let's actually move this out of a public forum in case we need to fix something in the module 👍 As in, we don't want to expose a security issue before we have a fix out. Please email we with the details of this PoC of issue so we can fix it up 👍 We'll follow the procedure in https://github.com/expressjs/express/blob/master/Security.md since this is an Express.js project 👍
per https://github.com/expressjs/csurf/issues/138, here's the drafted change to encourage the use of signed cookies.