gaspersic/freeCodeCamp
1
0
Fork 0
Code Issues Pull Requests Projects Releases Wiki Activity

fix(api): csurf to SameSite 'strict', https only (#39077)

Browse Source 
Lax and http are probably sufficient, but if the stricter versions work
there's no harm using them.
This commit is contained in:
Oliver Eyton-Williams
2020-06-16 17:18:48 +02:00
committed by GitHub
parent 02bb0546a1
commit b3d5cde75e
1 changed files with 3 additions and 1 deletions
Download Patch File Download Diff File Expand all files Collapse all files

4
api-server/server/middlewares/csurf.js
View File

@ -3,7 +3,9 @@ import csurf from 'csurf';
export default function() { export default function() {
const protection = csurf({ const protection = csurf({
cookie: { cookie: {
domain: process.env.COOKIE_DOMAIN || 'localhost' domain: process.env.COOKIE_DOMAIN || 'localhost',
sameSite: 'strict',
secure: true
} }
}); });
return function csrf(req, res, next) { return function csrf(req, res, next) {