CSRF protection middleware for the app?

[tmfelwu]

are there any plans to implement CSRF protection as the app uses cookie based authentication?

[pgrodrigues]

This should indeed be addressed. You can follow the guidelines here, which suggests to use csurf express middleware.

You dont need to do anything in the frontend as long as you keep things within the Angular way, because Angular will deal with it by itself, as mentioned in the docs:

Angular provides a mechanism to counter XSRF. When performing XHR requests, the $http service reads a token from a cookie (by default, XSRF-TOKEN) and sets it as an HTTP header (X-XSRF-TOKEN). Since only JavaScript that runs on your domain could read the cookie, your server can be assured that the XHR came from JavaScript running on your domain. The header will not be set for cross-domain requests.

[codydaig]

@sparshy https://github.com/expressjs/csurf would be my recommendation to start. :-D Happy Hacking!

[lirantal]

I would also look into PayPal's Lusca project which as a candidate

[pgrodrigues]

Didn't know lusca, it seems like a mix between csurf and helmet.

[codydaig]

@sparshy Did that answer your question?

[tmfelwu]

Yes @codydaig, thanks I will try to implement CSRF tokens on my branch as soon as I get time. Yo guys do have a future plan to implement it in the main branch?

[lirantal]

@sparshy indeed, security is also something we're investing efforts in (specifically I've been working on this front as well with my previous PRs about session security/cookies, etc).

Would be great to see a PR for that whenever you have time to work on it

[trainerbill]

If we go with Lusca, I will volunteer to do it. I am biased here :)

[lirantal]

@sparshy I assume no update on this topic?
@trainerbill be my guest - can you quickly research lusca vs csurf / helmet? and let's start working on this PR

[codydaig]

https://www.npmjs.com/package/lusca

[codydaig]

A PR has been submitted #997