#What is the best alternative to CSRF protection for NestJs?

11 messages · Page 1 of 1 (latest)

strange wagon
magic pagoda
#

I can point you to how my custom approach works if you want to see it

simple cosmos
serene sky
#

What is your use case

strange wagon
# serene sky You sure you need csrf?

I'm not using it for anything serious, I'm building a dummy portfolio project and learning Nest as I go. I'm also just learning about csrf vulnerability.

#

So it'll be nice to also learn how to prevent it 😁

strange wagon
magic pagoda
fallow finch
# strange wagon I tried this package form the documentation, but it was deprecated. https://docs...

i like to use double crsf or also known as crsf-crsf
https://www.npmjs.com/package/csrf-csrf

i find this even more secure then csurf

npm
csrf-csrf

A utility package to help implement stateless CSRF protection using the Double Submit Cookie Pattern in express.. Latest version: 2.2.4, last published: 3 months ago. Start using csrf-csrf in your project by running npm i csrf-csrf. There are 5 other projects in the npm registry using csrf-csrf.

#

it even allow the crsf to be signed
and even rolling codes

i setup a global middleware that generates a random secret key
and then stores it in the request object like in req.csrf
where double crsf will be fech it from

not even i do know the secret to the crsf and even if i did
with only a single request it is already something diffident i do not know either