Secure flag is only enabled in production

Red-Stream-Y3 · Sep 19, 2024 · d08bb15 · d08bb15
1 parent 0986ce2
commit d08bb15
Showing 1 changed file with 4 additions and 1 deletion.
diff --git a/BackEnd/index.js b/BackEnd/index.js
@@ -47,7 +47,10 @@ app.use(cookieParser());
 
 // Enable CSRF protection for state-changing routes (POST, PUT, DELETE)
 const csrfProtection = csurf({
-  cookie: true, // Store CSRF token in a cookie
+  cookie: {
+    httpOnly: true, // Prevents JavaScript from accessing the cookie
+    secure: process.env.NODE_ENV === 'production', // Only set the secure flag in production
+  },
 });
 
 // Use middleware to increment visitor count