search

hapijs / crumb

CSRF crumb generation and validation for hapi
Other
171 stars 50 forks source link

Plugin strips security headers #146

Closed saurabhgupta050890 closed 4 years ago

saurabhgupta050890 commented 4 years ago

Support plan

Context

What are you trying to achieve or the steps to reproduce?

const server = new Hapi.Server({
  port: 8080,
  host: "0.0.0.0",
  routes: {
    cors: {
      origin: [
        "ionic://localhost",
      ],
    },
    security: true,
  },
});

await server.register({plugin: Crumb})

What was the result you got?

I am setting security to true to enable default security headers. When I use crumb plugin the security headers are removed

What result did you expect?

Plugin should work with default security headers

devinivy commented 4 years ago

I am not able to reproduce this. Here's the diff in headers I'm seeing without and with crumb (both cases using security: true):

 {
   'content-type': 'text/html; charset=utf-8',
   'strict-transport-security': 'max-age=15768000',
   'x-frame-options': 'DENY',
   'x-xss-protection': '1; mode=block',
   'x-download-options': 'noopen',
   'x-content-type-options': 'nosniff',
   'cache-control': 'no-cache',
-  'content-length': 104,
+  'set-cookie': [
+    'crumb=NrymIabFe6k7fXdc9z7jmq271CZfONpxWGl3BHeRQ5E; Secure; HttpOnly; SameSite=Strict; Path=/'
+  ],
+  'content-length': 147,
   'accept-ranges': 'bytes',
-  date: 'Wed, 29 Jul 2020 02:49:53 GMT',
+  date: 'Wed, 29 Jul 2020 02:49:27 GMT',
   connection: 'keep-alive'
 }

In each case the security headers are preserved. If you still believe there is an issue, can you provide some more details and perhaps a more complete reproduction?

devinivy commented 4 years ago

Also, if you believe there is a security issue please contact us directly per our security policy, which is referenced alongside the issue templates when you attempt to create a new issue.

cjihrig commented 4 years ago

No follow up. I'll close this out.