Is it correct to write the CSRF token in a cookie?

S

Sergey Rybakov2019-08-27 01:31:18

JavaScript

Sergey Rybakov, 2019-08-27 01:31:18

I am currently using the 'csurf' library inside the Nest+Next bundle.
There is an example in the documentation

app.use(cookieParser())
app.use(csrf({ cookie: true }))

With this method, at the first request, a response from the server occurs in the form
set-cookie: _csrf=tT_oDy39L-XZkVESH0LAA140; Path=/
When the tab is closed, duplicating, etc. etc. this cookie is saved.
It is available from JS, as I understand it, so that it can then be pushed into the headers.
csrf-token
But how safe is it? Is it possible from a third-party site to get a response from this kind of form? Because the same JWT token, if it is stored in a cookie, it is proposed to back up CSRF requests with a token, which, presumably, should not be in the cookie, so that when a request is made to the attacked site, the result would be a response code with access denied due to an invalid or missing csrf token.

Reply

Answer the question

In order to leave comments, you need to log in

1 answer(s)

D

DevMan, 2019-08-27
@kyctarnik

why write it in cookies if it must be unique for each request?