Merge pull request #961 from pano9000/fix-csrf-settings

fix(csrf): set more secure csrf related settings

Author: eliandoran

src/routes/csrf_protection.ts

@@ -6,8 +6,8 @@ const doubleCsrfUtilities = doubleCsrf({
     cookieOptions: {
         path: "", // empty, so cookie is valid only for the current path
         secure: false,
-        sameSite: false,
-        httpOnly: false
+        sameSite: "strict",
+        httpOnly: true
     },
     cookieName: "_csrf"
 });

src/routes/index.ts

@@ -24,7 +24,7 @@ function index(req: Request, res: Response) {
     //'overwrite' set to false (default) => the existing token will be re-used and validated
     //'validateOnReuse' set to false => if validation fails, generate a new token instead of throwing an error
     const csrfToken = generateCsrfToken(req, res, false, false);
-    log.info(`Generated CSRF token ${csrfToken} with secret ${res.getHeader("set-cookie")}`);
+    log.info(`CSRF token generation: ${csrfToken ? "Successful" : "Failed"}`);
 
     // We force the page to not be cached since on mobile the CSRF token can be
     // broken when closing the browser and coming back in to the page.