john/tractatus
1
0
Fork 0
Code Issues Pull requests Projects Releases Packages Wiki Activity Actions

fix: CSRF cookie secure flag for reverse proxy environments

Browse source 
Check X-Forwarded-Proto header to determine if request is HTTPS
This ensures CSRF cookies work correctly when nginx terminates SSL
This commit is contained in:
TheFlow 2025-10-14 15:37:49 +13:00
parent 9d0dd0d83f
commit 0debe26af0
1 changed files with 4 additions and 1 deletions
Show stats Download patch file Download diff file Expand all files Collapse all files

5
src/middleware/csrf-protection.middleware.js
View file

@ -75,9 +75,12 @@ function setCsrfToken(req, res, next) {
if (!req.cookies['csrf-token']) { if (!req.cookies['csrf-token']) {
const token = generateCsrfToken(); const token = generateCsrfToken();
//Check if we're behind a proxy (X-Forwarded-Proto header)
const isSecure = req.secure || req.headers['x-forwarded-proto'] === 'https';
res.cookie('csrf-token', token, { res.cookie('csrf-token', token, {
httpOnly: true, httpOnly: true,
secure: process.env.NODE_ENV === 'production', secure: isSecure && process.env.NODE_ENV === 'production',
sameSite: 'strict', sameSite: 'strict',
maxAge: 24 * 60 * 60 * 1000 // 24 hours maxAge: 24 * 60 * 60 * 1000 // 24 hours
}); });