@dr.pogodin/csurf - npm Package Compare versions

Comparing version 1.12.2 to 1.12.3

index.js

		@@ -17,3 +17,3 @@ /*!
		const { sign } = require('cookie-signature');
		const Tokens = require('csrf');
		const Tokens = require('./tokens');

		@@ -20,0 +20,0 @@ /**

LICENSE.md

		# The MIT License

		_Copyright © 2014 Jonathan Ong <me@jongleberry.com>_ \
		_Copyright © 2014-2016 Douglas Christopher Wilson <doug@somethingdoug.com>_ \
		_Copyright © 2022 Dr. Sergey Pogodin <doc@pogodin.studio> (https://dr.pogodin.studio)_
		_Copyright © 2022–2023, Dr. Sergey Pogodin_
		— <doc@pogodin.studio> (https://dr.pogodin.studio) \
		_Copyright © 2014–2016 Douglas Christopher Wilson_
		— <doug@somethingdoug.com> \
		_Copyright © 2014 Jonathan Ong_
		— <me@jongleberry.com>

		@@ -7,0 +10,0 @@ Permission is hereby granted, free of charge, to any person obtaining

package.json

		{
		"name": "@dr.pogodin/csurf",
		"description": "CSRF token middleware for ExpressJS",
		"version": "1.12.2",
		"version": "1.12.3",
		"license": "MIT",
		@@ -15,14 +15,16 @@ "repository": "github:birdofpreyru/csurf",
		"cookie-signature": "^1.2.0",
		"csrf": "3.1.0",
		"http-errors": "^2.0.0"
		"http-errors": "^2.0.0",
		"rndm": "1.2.0",
		"tsscmp": "1.0.6",
		"uid-safe": "2.1.5"
		},
		"devDependencies": {
		"body-parser": "1.20.1",
		"body-parser": "1.20.2",
		"connect": "3.7.0",
		"cookie-parser": "1.4.6",
		"cookie-session": "2.0.0",
		"eslint": "^8.29.0",
		"eslint": "^8.36.0",
		"eslint-config-airbnb-base": "^15.0.0",
		"eslint-plugin-import": "^2.26.0",
		"mocha": "10.1.0",
		"eslint-plugin-import": "^2.27.5",
		"mocha": "10.2.0",
		"nyc": "15.1.0",
		@@ -29,0 +31,0 @@ "supertest": "6.3.3"

README.md

		@@ -15,3 +15,37 @@ # CSURF
		---
		### Security Considerations
		[Double Submit Cookie]: https://cheatsheetseries.owasp.org/cheatsheets/Cross-Site_Request_Forgery_Prevention_Cheat_Sheet.html#double-submit-cookie
		[XSS]: https://owasp.org/www-community/attacks/xss

		- [Double Submit Cookie] — This mode of CSRF protection relies on
		the inability of code from a 3rd-party origin to read/write cookies stored,
		and sent by browser for the protected origin. Sure, there are ways you may
		ruin it, if you don't know what you are doing:

		- Serving your website over unsecure HTTP connection —
		a man in the middle might read your cookies (and everything else)
		you send over, and exploit your negligence in all posible ways,
		including but not limited to by-passing double submit cookie CSRF
		protection.
		- Allowing [XSS] injection — if 3rd party is able to inject arbitrary
		code inside your own website, sure they can read the cookie and by-pass CSRF
		protection.
		- Allowing 3rd parties to control your sub-domains (a code running on
		sub-domain may shadow CSRF cookie set by the protected domain, thus allowing
		to by-pass CSRF protection).
		- _etc._

		This library has options allowing to mitigate these possibilities (by opting
		for various security options for CSRF cookies, which will instruct the browser
		to not pass CSRF cookie over insecure connections, _etc._), but, by default,
		the library does not eforce these options.

		[Some argue](https://github.com/birdofpreyru/csurf/issues/1) that not
		enforcing these options by default is against security, and requires
		deprecation of the library (like happened to its upstream original);
		IMHO, enforcing these options just adds headache in more common scenarious,
		and here is no security issue with the library, as long as it does exactly
		what users asks it to do.
		---

		Requires either a session middleware or [cookie-parser](https://www.npmjs.com/package/cookie-parser) to be initialized first.
		@@ -18,0 +52,0 @@

@dr.pogodin/csurf - npm Package Compare versions

Improved metrics

Worsened metrics

Dependency changes