search

stormpath / express-stormpath

Build simple, secure web applications with Stormpath and Express!
http://docs.stormpath.com/nodejs/express/
Apache License 2.0
325 stars 111 forks source link

Implement CSRF strategy #167

Open robertjd opened 9 years ago

robertjd commented 9 years ago

Because we are storing authentication information in cookies, we need to implement a CSRF strategy for this module. Any middleware function which is using cookies to authenticate the request should assert that the request is coming from the same domain as the cookie.

stevebread commented 8 years ago

Can the access token be used as a csrf token? I came across the concept of double submit cookies. I'm using Angular on the client and its only a simple configuration to have Angular return the access token in the X-XSRF-TOKEN header and then on the server I can compare the cookie and header after the stormpath middleware.

Sounds simple but is it right?

stevebread commented 8 years ago

never mind, the access token is rightfully HttpOnly

mdeggies commented 8 years ago

Hey @robertjd, is this still in the works? I found this during my google search for resources on how CSRF tokens are created and validated in express-stormpath

robertjd commented 8 years ago

This is probably going to come in the form of some suggested modules to use, not something that is built into this library.