Dockery/Trilium
1
0
Fork 0
mirror of https://github.com/zadam/trilium.git synced 2025-11-03 20:06:08 +01:00
Code Issues Packages Projects Releases Activity

fix(csrf): stop leaking the CSRF token in the server logs

Browse Source 
As per OWASP:
"A CSRF token must not be leaked in the server logs or in the URL.", see:
https://cheatsheetseries.owasp.org/cheatsheets/Cross-Site_Request_Forgery_Prevention_Cheat_Sheet.html#transmissing-csrf-tokens-in-synchronized-patterns
This commit is contained in:
Panagiotis Papadopoulos
2025-01-16 21:16:33 +01:00
parent 283a12b0d5
commit ec19ccd7a7
1 changed files with 1 additions and 1 deletions
Download Patch File Download Diff File Expand all files Collapse all files

2
src/routes/index.ts
View File

@@ -24,7 +24,7 @@ function index(req: Request, res: Response) {
//'overwrite' set to false (default) => the existing token will be re-used and validated //'overwrite' set to false (default) => the existing token will be re-used and validated
//'validateOnReuse' set to false => if validation fails, generate a new token instead of throwing an error //'validateOnReuse' set to false => if validation fails, generate a new token instead of throwing an error
const csrfToken = generateCsrfToken(req, res, false, false); const csrfToken = generateCsrfToken(req, res, false, false);
log.info(`Generated CSRF token ${csrfToken} with secret ${res.getHeader("set-cookie")}`); log.info(`CSRF token generation: ${csrfToken ? "Successful" : "Failed"}`);
// We force the page to not be cached since on mobile the CSRF token can be // We force the page to not be cached since on mobile the CSRF token can be
// broken when closing the browser and coming back in to the page. // broken when closing the browser and coming back in to the page.