Secure csrf

[mrazvan21]

how can I set secure csrf?

[shaunwarman]

You can drop a hidden element on the page with your created csrf similar to this kraken example

Be sure that you have a session to hold onto the secret for validation purposes.

Flow:

• Incoming non-safe http verb with csrf header
• parse request
• lusca middleware finds _csrf and uses secret from session to validate _csrf

[mrazvan21]

@shaunwarman I use csrf in cookie :) not in html :)
with param angular true in lusca settings

[shaunwarman]

Ah, ok perfect! What are you trying to change?

[mrazvan21]

I use node.js in apache (proxy).
I want to set XSRF-TOKEN with flag security true (obvious use https :D)
Session is set with security true but csrf can't set directly from lusca only If I overwrite res.cookie because from lusca when set xsrf, cookie is not set with options.secure = true;

You can see here https://github.com/krakenjs/lusca/blob/master/lib/csrf.js at line 49 (res.cookie(cookie, token);)

I'm forwarding ssl details from apache at node, node knows that site is on https (ssl is set from apache conf)). I set in express-session at cookie section secure= true;

I managed to set csrf with security=true only if I overwritten res.cookie (when options.secure true is not set I set automatically to true if https is active) but I don't like this...

I don't understand what I omitted..

[stgogm]

I'm facing the same issue and as I see, there's no way to set the cookie as secure or HTTP only but to overwrite it.

This is because the CSRF configuration doesn't accept options for the cookie.

https://expressjs.com/en/api.html#res.cookie

[stgogm]

Opened a pull request with a possible solution: #104