		@@ -59,2 +59,16 @@ 'use strict'

		let getSecret

		if (sessionPlugin === '@fastify/secure-session') {
		getSecret = function getSecret (req, reply) { return req.session.get(sessionKey) }
		} else if (sessionPlugin === '@fastify/session') {
		getSecret = function getSecret (req, reply) { return req.session[sessionKey] }
		} else {
		getSecret = function getSecret (req, reply) {
		return isCookieSigned
		? reply.unsignCookie(req.cookies[cookieKey] \|\| '').value
		: req.cookies[cookieKey]
		}
		}

		function generateCsrfCookie (opts) {
		@@ -107,14 +121,2 @@ let secret = isCookieSigned
		}

		function getSecret (req, reply) {
		if (sessionPlugin === '@fastify/secure-session') {
		return req.session.get(sessionKey)
		} else if (sessionPlugin === '@fastify/session') {
		return req.session[sessionKey]
		} else {
		return isCookieSigned
		? reply.unsignCookie(req.cookies[cookieKey] \|\| '').value
		: req.cookies[cookieKey]
		}
		}
		}
		@@ -121,0 +123,0 @@

package.json

		{
		"name": "@fastify/csrf-protection",
		"version": "5.1.0",
		"version": "6.0.0",
		"description": "A plugin for adding CSRF protection to Fastify.",
		"main": "index.js",
		"types": "index.d.ts",
		"types": "types/index.d.ts",
		"scripts": {
		"test": "standard && tap --100 test/*.test.js && tsd"
		"lint": "standard",
		"test": "npm run test:unit && npm run test:typescript",
		"test:unit": "tap",
		"test:typescript": "tsd"
		},
		@@ -27,14 +30,12 @@ "repository": {
		"homepage": "https://github.com/fastify/fastify-csrf#readme",
		"tsd": {
		"directory": "./test"
		},
		"dependencies": {
		"@fastify/csrf": "^5.1.0",
		"@fastify/csrf": "^6.0.0",
		"@fastify/error": "^3.0.0",
		"fastify-plugin": "^3.0.0"
		"fastify-plugin": "^4.0.0"
		},
		"devDependencies": {
		"@fastify/cookie": "^7.0.0",
		"@fastify/cookie": "^8.0.0",
		"@fastify/pre-commit": "^2.0.2",
		"@fastify/secure-session": "^5.0.0",
		"@fastify/session": "^9.0.0",
		"@fastify/session": "^10.0.0",
		"@types/node": "^18.0.0",
		@@ -46,4 +47,8 @@ "fastify": "^4.2.0",
		"tap": "^16.0.0",
		"tsd": "^0.22.0"
		}
		"tsd": "^0.24.1"
		},
		"pre-commit": [
		"lint",
		"test"
		]
		}

README.md

		@@ -18,3 +18,3 @@ # @fastify/csrf-protection

		Security is always a tradeoff between risk mitigation, functionality, and developer experience.
		Security is always a tradeoff between risk mitigation, functionality, performance, and developer experience.
		As a result we will not consider a report of a plugin default configuration option as security
		@@ -36,3 +36,3 @@ vulnerability that might be unsafe in certain scenarios as long as this module provides a
		By default, the cookie used will be named `_csrf`, but you can rename it via the `cookieKey` option.
		When `cookieOpts` are provided, they override the default options. Make sure you restore any of the default options which provide sensible and secure defaults.
		When `cookieOpts` are provided, they override the default cookie options. Make sure you restore any of the default options which provide sensible and secure defaults.

		@@ -133,7 +133,7 @@ ```js
		- Stored in some external services like KMS, Vault or something similar
		- Read at run-time and supplied in this option
		- Read at run-time and supplied to this option
		- Of significant character length to provide adequate entropy
		- Truly random sequence of characters (You could use [crypto-random-string](http://npm.im/crypto-random-string))

		Apart from these safeguards, it is extremely important to [use HTTPS for your website/app](https://letsencrypt.org/) to avoid a bunch of other potential security issues like [MITM](https://en.wikipedia.org/wiki/Man-in-the-middle_attack) etc.
		Apart from these safeguards, it is extremely important to [use HTTPS for your website/app](https://letsencrypt.org/) to avoid a bunch of other potential security issues like [MITM attacks](https://en.wikipedia.org/wiki/Man-in-the-middle_attack) etc.

		@@ -152,7 +152,7 @@ ## API
		\| `sessionPlugin` \| The session plugin that you are using (if applicable). \|
		\| `csrfOpts` \| The csrf options. See [csrf](https://github.com/pillarjs/csrf). \|
		\| `csrfOpts` \| The csrf options. See [@fastify/csrf](https://github.com/fastify/csrf). \|

		### `reply.generateCsrf([opts])`

		Generates a secret (if is not already present) and returns a promise that resolves to the associated secret.
		Generates a secret (if it is not already present) and returns a promise that resolves to the associated secret.

		@@ -172,7 +172,7 @@ ```js
		A hook that you can use for protecting routes or entire plugins from CSRF attacks.
		Generally, we recommend to use the `onRequest` hook, but if you are sending the token
		via the body, then you should use `preValidation` or `preHandler`.
		Generally, we recommend using an `onRequest` hook, but if you are sending the token
		via the request body, then you must use a `preValidation` or `preHandler` hook.

		```js
		// protect the entire plugin
		// protect the fastify instance
		fastify.addHook('onRequest', fastify.csrfProtection)
		@@ -203,4 +203,10 @@

		It is recommended to provide a custom `getToken` function for performance and [security](https://cheatsheetseries.owasp.org/cheatsheets/Cross-Site_Request_Forgery_Prevention_Cheat_Sheet.html#use-of-custom-request-headers) reasons.

		```js
		fastify.register(require('@fastify/csrf-protection'), { getToken: function (req) { req.headers['csrf'] } })
		```

		## License

		[MIT](./LICENSE)

index.d.ts

test/index.test-d.ts

.github/workflows/ci.yml

Sorry, the diff of this file is not supported yet

@fastify/csrf-protection - npm Package Compare versions

New alerts

Improved metrics

Worsened metrics

Dependency changes