fix csrf path so that it's valid only for current path and not whole (sub)domain

2025-06-05 17:38:47 +02:00 · 2019-03-24 23:03:30 +01:00 · 2019-03-24 23:03:30 +01:00 · 001bd1d004
commit 001bd1d004
parent 6c7e2f0aa1
1 changed files with 4 additions and 1 deletions
--- a/src/routes/routes.js
+++ b/src/routes/routes.js
@ -40,7 +40,10 @@ const sql = require('../services/sql');
 const protectedSessionService = require('../services/protected_session');
 const csurf = require('csurf');

-const csrfMiddleware = csurf({ cookie: true });
+const csrfMiddleware = csurf({
+    cookie: true,
+    path: '' // nothing so cookie is valid only for current path
+});

 function apiResultHandler(req, res, result) {
    // if it's an array and first element is integer then we consider this to be [statusCode, response] format