#Guidance to handle CSRF

3 messages · Page 1 of 1 (latest)

raven fog Mar 7, 2024, 10:54 AM

Hi there,
I'm using a cookie based authentication (containing jwt and signed + sameSite to 'strict').
So basically I found that you need CSRF protection.

But I could not find any implementation example. And i don't think using the deprecated package from the documentation is a good idea.

Anyone has advice or examples ?

Thanks

hollow oasis Mar 11, 2024, 9:55 AM

raven fog Hi there, I'm using a cookie based authentication (containing jwt and signed + ...

crsf (cross site request forgery) has nothing to do with jwt or sessions in particular but more of a general thing
you dont solve it with a sameSite tag

you solve it with a special identifier that will be different then other sites
send along with every request

you solve it with a special guard/middleware
i dont suggest to implement this your self

usually csurf package was the standard for this but that lib is now depreciated
you will have to find another one for this

personally i like to use double crsf for this

npm

csrf-csrf

A utility package to help implement stateless CSRF protection using the Double Submit Cookie Pattern in express.. Latest version: 3.0.3, last published: 3 months ago. Start using csrf-csrf in your project by running npm i csrf-csrf. There are 7 other projects in the npm registry using csrf-csrf.