fix(csrf): stop leaking the CSRF token in the server logs

As per OWASP: "A CSRF token must not be leaked in the server logs or in the URL.", see: https://cheatsheetseries.owasp.org/cheatsheets/Cross-Site_Request_Forgery_Prevention_Cheat_Sheet.html#transmissing-csrf-tokens-in-synchronized-patterns
2025-01-16 21:16:33 +07:00 · 2025-01-16 21:16:33 +07:00 · ec19ccd7a7
parent 283a12b0d5
commit ec19ccd7a7
1 changed files with 1 additions and 1 deletions
--- a/src/routes/index.ts
+++ b/src/routes/index.ts
@ -24,7 +24,7 @@ function index(req: Request, res: Response) {
    //'overwrite' set to false (default) => the existing token will be re-used and validated
    //'validateOnReuse' set to false => if validation fails, generate a new token instead of throwing an error
    const csrfToken = generateCsrfToken(req, res, false, false);
-    log.info(`Generated CSRF token ${csrfToken} with secret ${res.getHeader("set-cookie")}`);
+    log.info(`CSRF token generation: ${csrfToken ? "Successful" : "Failed"}`);

    // We force the page to not be cached since on mobile the CSRF token can be
    // broken when closing the browser and coming back in to the page.