Best practice for the csrf token and secret (signed? httponly?)

Question

Best practice for the csrf token and secret (signed? httponly?)

mrkchang opened this issue 4 years ago · comments

For the CSRF secret, what the best practice for 1) signed and 2) httponly?
For the CSRF token, what the best practice for 1) signed and 2) httponly?
Why doesn't the module automatically parse the request cookies instead of the the developer having to manually add the token in the header?

Douglas Wilson · Answer 1 · Sun Apr 05 2020 12:17:30 GMT+0800 (China Standard Time)

For the CSRF secret, what the best practice for 1) signed and 2) httponly?

Whatever the most secure you can set for your environment. If you can also enable samesite and secure in addition, even better. Enable as much as possible for your environment.

For the CSRF token, what the best practice for 1) signed and 2) httponly?
Why doesn't the module automatically parse the request cookies instead of the the developer having to manually add the token in the header?

The token itself cannot be inside a cookie, as the purpose of csrf is to solve the issue that web browsers automatically include cookies in requests. The token needs to be specifically included for csrf protection to work as it is designed. That is not specific to this module. You can read more on owasp 👍