From a7ade5c1db8fa691e9321eeacfaf405df191232f Mon Sep 17 00:00:00 2001 From: Massimo Maggi Date: Fri, 28 May 2021 23:21:00 +0200 Subject: [PATCH] Add a note about secrecy of CSRF token in the README.md --- README.md | 9 ++++++--- 1 file changed, 6 insertions(+), 3 deletions(-) diff --git a/README.md b/README.md index be1558c..4abf569 100644 --- a/README.md +++ b/README.md @@ -68,9 +68,12 @@ http.ListenAndServe(":8000", CSRF(r)) ...and then collect the token with `csrf.Token(r)` in your handlers before passing it to the template, JSON body or HTTP header (see below). -Note that the authentication key passed to `csrf.Protect([]byte(key))` should be -32-bytes long and persist across application restarts. Generating a random key -won't allow you to authenticate existing cookies and will break your CSRF +Note that the authentication key passed to `csrf.Protect([]byte(key))` should: +- be 32-bytes long +- persist across application restarts. +- kept secret from potential malicious users - do not hardcode it into the source code, especially not in open-source applications. + +Generating a random key won't allow you to authenticate existing cookies and will break your CSRF validation. gorilla/csrf inspects the HTTP headers (first) and form body (second) on