search

krakenjs / lusca

Application security for express apps.
Other
1.79k stars 139 forks source link

Change CSRF-Token name #138

Open molerat619 opened 4 years ago

molerat619 commented 4 years ago

Hey there.

I'm working on a legacy system and need to change the name of the CSRF-Token. I have tried many different options, but nothing seems to work.

app.use(lusca({
      csrf: {
        angular: true,
        // key: 'FirstTest'
        cookie: {
          // name: 'SecondTest',
          options: {
            xsrfCookieName: 'ThirdTest',
            domain: 'www.example.de'
          }
        }
      },
      xframe: 'SAMEORIGIN',
      hsts: {
        maxAge: 31536000, //1 year, in seconds
        includeSubDomains: false,
        preload: true
      },
      xssProtection: true
    }));

No matter what I do, the cookie is still called XSRF-TOKEN.

Background: My actual problem is that I'm sharing some cookies via the subdomain so .example.de in the frontend but another application also has a XSRF-TOKEN so in my requests to my backend it uses the wrong XSRF-Token because they are called the same... That's why I've tried to set ' includeSubDomains' to false, but it didn't help.