Closed D34THWINGS closed 5 years ago
@D34THWINGS - Here are the hapi defaults for cookies -
{
strictHeader: true,
ignoreErrors: false,
isSecure: true,
isHttpOnly: true,
isSameSite: 'Strict',
encoding: 'none'
}
We can't set isHttpOnly here as client javascript needs to read and return the cookie value, but aside from that I believe we could apply the same defaults as hapi. Yes - please submit a PR that sets a more secure default and updates the docs accordingly.
added suggestion to readme/docs.
This thread has been automatically locked due to inactivity. Please open a new issue for related bugs or questions following the new issue template instructions.
While reading the documentation I found out that you did not mentioned to secure the cookie at all. This is a huge security problem because anyone could forge a CSRF token by sending anything as
crumb
cookie. This should definitely be enforced because otherwise this plugin is useless. Would you like a PR ?