How to properly configure csurf with cookie-session in express?
Question
I'm trying to setup csrf protection using cookie-session as the csurf docs mention it explicitly, but loading my /form page returns a 500 and 'misconfigured csrf' is logged to the console.
import csrf from 'csurf'
import express from 'express'
import cookieSession from 'cookie-session'
const app = express()
const CookieSettings = {
name: 'session',
keys: ['keyone', 'keytwo'],
httpOnly: true
}
//template engine stuff
app.use(cookieSession(CookieSettings))
app.use(csrf({ cookie: true }))
app.use(express.urlencoded({ extended: true }))
app.get('/form', (req, res) => {
res.render('form.html', { csrf: req.csrfToken() })
}
app.post('/form', (req, res) => {
console.log('CSRF: ', req.body._csrf)
res.redirect(303, '/form')
}
app.listen(3000)
1 answers
solution1
0 2022-08-29 14:27:36
if you want to use cookies ["csrf({ cookie: true })"], you should use the lib 'cookie-parser' csurf_github otherwhise, you should use session
The technical post webpages of this site follow the CC BY-SA 4.0 protocol. If you need to reprint, please indicate the site URL or the original address.Any question please contact:yoyou2525@163.com.
Related Question
How to pass cookie options in cookie-session 1.0.2
My cookie must expired at the end of the session with cookie-session and node js and express
Is Cookie-session the best solution for React?
forbiddenError/403 Ajax Express Csurf - how to use Csurf correctly?
How to use Express JS 4.0's csurf?
Express Session and Cookie
Express and React, send CSURF token
How to implement csrf token into ssr application with express? Seems like csurf is deprecated
express csurf (csrf middleware) not working with XSRF in angularjs
Express session with different cookie domain per request?
Related Tags