UNPKG

securestate

Version:

Secure State is a robust CSRF (Cross-Site Request Forgery) protection library for Node.js, designed to enhance the security of web applications by ensuring that sensitive actions are protected with anti-CSRF tokens. This middleware offers flexible configu

github.com/nodebysam/securestate

nodebysam/securestate

76 lines (61 loc) 2.29 kB
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
58
59
60
61
62
63
64
65
66
67
68
69
70
71
72
73
74
75
76
/** * SECURE STATE * A robust CSRF security protection node library. * * By Sam Wilcox <wilcox.sam@gmail.com> * * This library is licensed under the GPL v3.0 license. * Please see LICENSE file included with this library. */ /** * Secure State library configurations. */ const config = { // Whether to regenerate the CSRF token on each request. regenerateToken: false, // Whether the token will expire after a set period of time. tokenExpires: false, // The expiration time for the the token in seconds. tokenExpiration: 0, // Whether to check the origin of the token. checkOrigin: false, // Debug mode for detailed debug information; not recommended for production. debug: false, // The length of the token. tokenLength: 32, // Options to set when the CSRF token cookie is created. cookieOptions: { // The name of the cookie to store the CSRF token in. cookieName: '_csrfToken', // Ensures the cookie cannot be accessed via JavaScript (helps prevent XSS attacks). httpOnly: true, // Prevents the cookie from being sent with cross-site requests (protects against CSRF). sameSite: 'Strict', // Ensures the cookie is only sent over HTTPS in a production environment. secure: process.env.NODE_ENV === 'production', // The path where the cookie is available (root of site use '/'). path: '/', // The domain where the cookie is available. domain: '', }, }; /** * Update the library configurations dynamically. * * @param {Object} newConfig - An object containing the updated configuration values. */ function setConfig(newConfig) { for (const key in newConfig) { if (config.hasOwnProperty(key)) { if (typeof config[key] === 'object' && typeof newConfig[key] === 'object') { Object.assign(config[key], newConfig[key]); } else { config[key] = newConfig[key]; } } } if (config.debug && process.env.NODE_ENV !== 'test') { console.log('[SECURESTATE DEBUG] Updated configuration:', config); } } module.exports = { config, setConfig };