All Questions
200 questions
0
votes
0
answers
94
views
connect.sid cookie is not being created, req.session generates a new sessionID on every request, something is wrong with my CSRF implementation
What is expected?
I hit the GET /csrf/token endpoint from my frontend
A new csrf token is generated as no cookie is set yet
This csrf token is saved to redis store via connect-redis and connect.sid ...
- 6,208
1
vote
0
answers
16
views
CSRF Token won't be set unless the server sends a response. But CSRF token needed to make a request inside nuxtServerInit? How to handle this case?
Backend
Take this express backend server
const app = express();
app.use(rTracer.expressMiddleware());
app.use(requestLogger);
app.use(
cors({
credentials: true,
origin: getAllowedOrigins,
...
- 6,208
0
votes
0
answers
42
views
ForbiddenError: invalid csrf token at doubleCsrf
First off, sorry this is a re-upload. reason being is I'm an idiot...
I'm creating a dummy social media app using express JS and Mongoose. I tried to implement sessions and CSRF protection but I am ...
1
vote
0
answers
47
views
Express.js: ForbiddenError: invalid csrf token when using csurf
I tried to apply my frontend pages to 2 different servers: Django and Express.js. In Django I used csrf tokens and so I want to use same frontend pages for 2 servers. So I tried to apply csrf tokens ...
0
votes
0
answers
17
views
Cross origin cookies not visible in browser devtools, but still working
I have a MERN stack app, frontend on frontend.local and backend on backend.local. I have CORS set up. I'm using express-session.
When a user logs in, I set a session id, and it automatically sends a ...
- 247
0
votes
0
answers
17
views
Why aren't my cookies persistent on subdomains?
I have an MERN app with a front end deployed on onrender.com and backend deployed on onrender.com.
I am attempting to use cookies and jwt for authentication but am having a lot of trouble with cookies ...
0
votes
0
answers
68
views
CSRF CSRF utility package invalid CSRF Token Error
Because CSURF has been deprecated I have been trying to use doule CSRF utility package but am finding some of their docs confusing. In my express typescript backend I have set up csrf csrf like this ...
- 1
1
vote
0
answers
67
views
Firebase Auth : Handle csrfToken and AuthGuard (Angular 17)
Im trying to build a frontend in Angular 17 and backend with Express and handle authentication with firebase. But this is the first time I'm trying to do this and I have a few questions.
How does the ...
user22437588
0
votes
1
answer
60
views
How to prevent someone from copying POST request from developer tools and modifying request payload?
We are using http-only cookie based JWT authentication in our MERN application.
Recently we experienced a suspicious activity from a user. User created an account and then made a POST request with a ...
- 13
0
votes
0
answers
119
views
How to handle CSRF token with Firebase, Angular, and Express?
I want to use a CSRF token, and I understand that for each form submission, I need to send my CSRF token. The token is generated once when a user signs in (it's a random UID). Here's what happens ...
user22437588
0
votes
0
answers
267
views
Invalid CSRF Token Because Chrome Blocks third-party cookies in Incognito mode
My front end uses React and is hosted by https://render.com/ with a domain purchased on SquareSpace. My backend is in Express.js and requires a CSRF token for verification in order to prevent CSRF. ...
- 8,045
0
votes
1
answer
271
views
Csurf Forbidden Error: invalid csrfToken code: 'EBADCSRFTOKEN' in nodejs
In my blog project, csrf works fine on some post routes like login, register, logout, update account information,... but in the admin routes, when I tried to create/update a post or a category - it ...
0
votes
0
answers
141
views
CSRF token for MERN stack doesn't work on iPhone browsers
I read a few pages here about CSRF (Cross-Site Request Forgery) attacks and how to defend your app against them, but I still need help. So, here I am, implementing a full-stack MERN app hosted in ...
4
votes
1
answer
6k
views
SvelteKit: Cross-site POST form submissions are forbidden
My setup is a SvelteKit app paired with an Express server (in order to handle sockets). This app has some POST requests which work fine with Vite, but not when I run it with Express. I get the error ...
- 395
0
votes
1
answer
818
views
Should CSRF protection token be given before authenticating?
I want to add csrf protection by sending the csrf token , i used the csurf library in node/express JS i tried getting the token with a get request and it gives me the token successfully , but i guess ...
- 263
-1
votes
1
answer
577
views
CSRF and CORS: Why allow the request to happen if we know there will be a cors error?
I am confused by why the cors package allows the request to be processed even if the origin in the request header isn't white-listed. For example, res.status(202).send(await User.find()) returns a ...
0
votes
1
answer
468
views
Should i use CSRF token in Rest api
I am creating a login registration system using React on frontend and express js on backend .
In this system i will use access and refresh token . When user logs in that user will get access token ...
- 163
0
votes
2
answers
2k
views
why CSRF token always say invalid CSRF while I send the token through request to the backend?
i import these two packages (csrf, cookieparser) and using inside the appjs for express only its working and also i tested in postman it's working fine here is my code express js:
const csrf = require(...
- 21
0
votes
1
answer
387
views
How to properly configure csurf with cookie-session in express?
I'm trying to setup csrf protection using cookie-session as the csurf docs mention it explicitly, but loading my /form page returns a 500 and 'misconfigured csrf' is logged to the console.
import csrf ...
- 535
2
votes
2
answers
1k
views
How to exclude an endpoint from CSRF middleware
See update below...
My React front-end is able to call upon my Node back-end API. However, when an external site calls upon my API, it receives an error. If I comment out the CSRF part (the 5 lines) ...
- 3,040
0
votes
1
answer
740
views
How to implement CSRF protection with csurf in API calls without the use of template engines?
I'm developing a RESTfull API which uses express session and passport.js authentication to store the session in the connect-pg-simple store.
I'm looking into implementing a CSRF protection with the ...
- 1,214
1
vote
2
answers
2k
views
How to use csurf middleware in tsoa express?
I am new to tsoa and I want to do CSRF implementation in my node app. I have been able to make api using app.use() but I want to write in tsoa. Is there any way?
- 15
1
vote
0
answers
809
views
How to set csrfToken with express-session?
I'm using express-session and connect pg simple for my session and store management like so:
app.use(
session({
secret: process.env.SECRET,
resave: false,
saveUninitialized: false,
...
- 1,214
1
vote
2
answers
6k
views
CSRF tokens in React
I am trying to secure my React/Express app using CSRF tokens.
I was following the first approach from this article but I don’t see how this is secure.
It suggests setting a CSRF token in the header ...
- 6,475
-1
votes
1
answer
919
views
How to prevent CSRF attacks? [closed]
I want to prevent CSRF attacks on my API (Express app nodejs)
I searched google and youtube but I can't find way to do it. On the youtube tutorial it said generate a token and send it to the client ...
- 56
1
vote
1
answer
2k
views
How to refresh CSRF token in Nodejs / Express via AJAX
The scenario:
I have a page in my app which users seem to be leaving open and returning to well after their session / CSFR have expired
When they try and submit data from that page and the session is ...
- 671
1
vote
1
answer
211
views
Why does the csrf check not work on the server?
const csrfProtection = csrf({
cookie: {httpOnly: true}
})
// Middleware
app.use(express.json())
app.use(cookieParser())
app.use(csrfProtection)
app.use(cors({
origin: 'http://localhost:8081',
...
2
votes
0
answers
1k
views
Express CSURF returns ForbiddenError: invalid csrf token
Background
I have an Express app that uses TypeScript. I am intending to make a backend that will authenticate users and retrieve data etc. I also have a react app that will call this backend ...
- 197
2
votes
0
answers
443
views
403 invalid csrf token, Express, csurf, React and Axios
I am trying to implement CSRF protection to my API endpoints,
I am using express and csurf, when making a post request using Axios from my react app I am receiving 403 invalid csrf token.
I have been ...
- 115
1
vote
2
answers
2k
views
ExpressJS + ReactJS SPA - Different CSRF token generated in every request
I have set up the csurf node module to add CSRF protection to my ExpressJS application. The frontend is a ReactJS single page application. The problem is that I'm constantly getting this error with ...
- 4,227
3
votes
0
answers
253
views
Express CSRF with subdomain
I have two applications one is an Angular front end, the other is a backend API.
The Urls for these apps look like so:
https://frontend.mydomain.com
https://api.mydomain.com
When using CSRF it appears ...
- 3,279
1
vote
0
answers
251
views
How to send cookies across different domains in production
Intro
My express app is deployed in heroku, and my next js app is deployed in vercel.
I am using csrf protection using 'csurf' package, and everything work in development, but in production the ...
- 56
0
votes
1
answer
350
views
Node.js module CSURF question -- how do ANTI-CSRF tokens get computed?
I'm using the node.js module CSURF, which is configured to use cookies via cookie-parser.
For demo purposes, I'm just echoing the ANTI-CSRF token to the screen on a /form GET request. Here's the ...
- 997
1
vote
1
answer
532
views
CSRF Protection is not working in Safari browser due third party cookie blocking
I am working on a web application that use a frontend written with react and a backend server written with Nodejs express framework, the backend server is using csurf package in order to return to the ...
- 21
1
vote
0
answers
161
views
Fetching csrf token using csurf from function not api route
I created a api route named "/add" that renders a file named "additional-user-info" with crsf token and it works fine
app.js
const express = require("express");
require(&...
- 11
1
vote
2
answers
2k
views
Invalid CSRF Token in React but valid in Postman
I have an Express server on which I'm generating a csrf token. My server looks like this
const csrfProtection = csrf({
cookie: {
httpOnly: true,
},
});
server.use(express.json());
server.use(...
- 966
0
votes
1
answer
210
views
how to handle csrf only post request when no get request
I have a delete post route in my CSM. delete is not working because cross-site forgery detected, other routes working perfectly because there is one pair GET POST available. for the delete route, I ...
-1
votes
1
answer
221
views
Node Express CSRF token in not invalidated after logout
I'm using the standard express CSRF module. It seems to work correctly, except that after logging out and logging in again, it's still possible to use a CSRF token generated in the previous session. I ...
- 671
0
votes
1
answer
33
views
Protect Single Page App with stand alone API from XSRF
I have two node servers, one is dedicated to serve the (frontend of my) single page of the app (developed in react), the other one is my backend API. I would like to protect my app from XSRF attack, ...
- 51
1
vote
0
answers
210
views
How do I prevent people from exploiting my Rest Api
Lets say I am making a music app, where users can upload musics and listen to them. The plays counter increments if they listen the music for at least 30 sec. So the code would look something like:
...
- 359
0
votes
1
answer
196
views
Express and React, send CSURF token
I have a NodeJs server running some app using EJS,
now I want to add a React app.
But I don't quite manage to send the csrf token back to the server from React.
Here's my server setup:
const ...
- 397
1
vote
1
answer
1k
views
"message":"invalid csrf token","code":"EBADCSRFTOKEN"
I read all similar questions in stackoverflow, I checked issues in csurf github page but I could not figure out the issue. This is the express middlewares file:
const app = express();
const ...
- 48.6k
0
votes
1
answer
140
views
Is there a way to CSRF protection if its coming from within the Express server itself?
I have an express server with an endpoint that during its function needs to send a request to another endpoint on the same server, right now I have CSRF protection on this endpoint and would rather ...
4
votes
1
answer
963
views
Getting ForbiddenError: invalid csrf token with multer added locally to image upload router
I am using csurf as recommended in my Express application to guard against cross sites forgeries. I have registered it globally(illustrated with code below) and so far so good.
Now, I have added ...
- 226
0
votes
1
answer
369
views
Express csurf middleware always accepted even if i don't attach _csrf in the req.body from react app but api works in postman as expected
Hi i am trying to acieve CSRF protection in react js and express js application. The express api is working properly with postman, when i attach _csrf : token with the req.body then it works otherwise ...
- 31
0
votes
1
answer
3k
views
Exception csrfToken is not a function when called by supertest
I have a NestJS backend with CSRF protection and an endpoint to get the CSRF token. I'm getting TypeError: req.csrfToken is not a function when testing this endpoint with jest and supertest.
My code ...
- 498
1
vote
1
answer
2k
views
Node Js - Express - CSURF : "invalid csrf token"
I'm trying to implement csurf within an express app hosted in firebase and I'm facing the 'EBADCSRFTOKEN' error in one specific case.
This error only occurs when a user is logged in through a session ...
0
votes
1
answer
694
views
Disable csrf when express route is called internally
I have the following simple code to enable csrf protection
import csrf from 'csurf';
const csrfProtection = csrf({
cookie: {
httpOnly: true,
secure: process.env.NODE_ENV === 'production',
...
- 1,576
1
vote
2
answers
14k
views
How to solve: "ForbiddenError: invalid csrf token"
I have problems with setting up csrf. I hope that someone can point me in the right direction.
I'm using next.js with express.js.
When I refresh the page following happens:
I get a _csurf cookie (dev ...
- 365
7
votes
1
answer
4k
views
Preventing CSRF with an Express API and a React frontend
I have been reading around CSRF for the past few days and feel like I have a good grasp on what it is and how to prevent it. I am building a small Express/React application that will have a secure ...
- 915