Closed jeffharrell closed 10 years ago
Very nice. Just one comment. HSTS requires a max age , but if the developer makes a mistake (wrong key name, no key, etc) it "fails" silently by not doing anything. Should the module fail, or at least log a warning about bad config?
I think this looks good overall. I didn't go into any depth on non-csrf stuff, however. :+1:?
Otherwise, :+1:
Upstream changes merged.
@mstuart, I needed to make a tiny tweak to the interface of your code and exposed the properties themselves rather than having the users pass the raw header: https://github.com/paypal/lusca/commit/0926ccfe11a0f32bf308ebba2efaaf657a41d0bc#diff-90ac2b27c938f8b134ba5b88ff85abcdR7
Otherwise, all, any reasons why this shouldn't be merged?
@jeffharrell Cool, I like that better.
I spy with my little eye something LGTM.
Three people said it looked good. I AM PRESSING TEH GREEN BUTTON!!!1!
Changes a few things in CSRF:
res.locals
The default implementation for creating and validating tokens is similar to the algorithm connect uses, but I'm looking for feedback on that.