CSRF protection with double-submit cookie

11261 views

                  import crypto from 'node:crypto';
import type { RequestHandler } from 'express';

export const ensureCsrfCookie: RequestHandler = (_req, res, next) => {
  const token = crypto.randomBytes(16).toString('hex');
  res.cookie('csrf_token', token, { sameSite: 'lax', secure: true });
  next();
};

export const verifyCsrf: RequestHandler = (req, res, next) => {
  const cookieToken = req.cookies?.csrf_token;
  const headerToken = req.header('x-csrf-token');
  if (!cookieToken || !headerToken || cookieToken !== headerToken) {
    return res.status(403).json({ error: 'CSRF' });
  }
  next();
};

Session-based apps still need CSRF protection even when the API is ‘JSON’. I like the double-submit cookie approach: set a CSRF token cookie, require the client to echo it in x-csrf-token, and verify they match. The reason I prefer this is that it doesn’t require server-side CSRF state and it plays nicely with otherwise stateless services. The gotcha is cookie flags: the CSRF cookie must be readable by JS (not HttpOnly), while the session cookie should stay HttpOnly. I also enforce SameSite settings and validate Origin/Referer for extra defense. It’s a small amount of code that blocks a surprisingly common class of attacks.

Mateo Rodriguez

More from Mateo Rodriguez

CSRF protection with double-submit cookie

0 Comments

More from Mateo Rodriguez