Closed adon-at-work closed 6 years ago
not as a separate bullet point because signed
itself is not a value introduced by this package
Makes sense :+1: Can you ellaborate on how it will harden security? For example signed will slow down all requests due to the new crypto operations incurred. Usually it simply prevents the client from manipulating thr value. What is the attack vector for the client manipulating this value in their own cookie?
Clicked wrong button.
Also, not sure what you mean, because those are '0'+'1' won't validate. How about if we're discussion security vulnerabilities let's actually move this out of a public forum in case we need to fix something in the module 👍 As in, we don't want to expose a security issue before we have a fix out. Please email we with the details of this PoC of issue so we can fix it up 👍 We'll follow the procedure in https://github.com/expressjs/express/blob/master/Security.md since this is an Express.js project 👍
per https://github.com/expressjs/csurf/issues/138, here's the drafted change to encourage the use of signed cookies.