Suggest to secure cookie by default in documentation

hapijs / crumb

CSRF crumb generation and validation for hapi

Other

171 stars 50 forks source link

Suggest to secure cookie by default in documentation #128

Closed D34THWINGS closed 5 years ago

D34THWINGS commented 5 years ago

While reading the documentation I found out that you did not mentioned to secure the cookie at all. This is a huge security problem because anyone could forge a CSRF token by sending anything as crumb cookie. This should definitely be enforced because otherwise this plugin is useless. Would you like a PR ?

spanditcaa commented 5 years ago

@D34THWINGS - Here are the hapi defaults for cookies -

{
    strictHeader: true,
    ignoreErrors: false,
    isSecure: true,
    isHttpOnly: true,
    isSameSite: 'Strict',
    encoding: 'none'
}

We can't set isHttpOnly here as client javascript needs to read and return the cookie value, but aside from that I believe we could apply the same defaults as hapi. Yes - please submit a PR that sets a more secure default and updates the docs accordingly.

spanditcaa commented 5 years ago

added suggestion to readme/docs.

lock[bot] commented 4 years ago

This thread has been automatically locked due to inactivity. Please open a new issue for related bugs or questions following the new issue template instructions.