fix: update default cookie name

The default cookie name and README recommendation was incorrect. The recommended prefix is not "Host__", but "__Host-". A minor security advisory will be released for this issue. It isn't a huge vulnerability as there are workarounds available, e.g. you can set your own cookieName.
Psifi-Solutions · Oct 8, 2022 · 8f1ce8d · 8f1ce8d
1 parent c4cbfbe
commit 8f1ce8d
Show file tree

Hide file tree

Showing 6 changed files with 6 additions and 6 deletions.
diff --git a/README.md b/README.md
@@ -154,7 +154,7 @@ When creating your csrfSync, you have a few options available for configuration,
 ```js
 const doubleCsrfUtilities = doubleCsrf({
   getSecret, // A function that optionally takes the request and returns a secret
-  cookieName = "Host__psifi.x-csrf-token", // The name of the cookie to be used, recommend using Host prefix.
+  cookieName = "__Host-psifi.x-csrf-token", // The name of the cookie to be used, recommend using Host prefix.
   cookieOptions: {
     httpOnly = true,
     sameSite = "lax",  // Recommend you make this strict if posible

diff --git a/example/complete/package.json b/example/complete/package.json
@@ -12,7 +12,7 @@
   "license": "ISC",
   "dependencies": {
     "cookie-parser": "^1.4.6",
-    "csrf-csrf": "2.2.0",
+    "csrf-csrf": "2.2.1",
     "express": "^4.18.1"
   }
 }
diff --git a/example/simple/package.json b/example/simple/package.json
@@ -11,7 +11,7 @@
   "author": "psibean",
   "license": "ISC",
   "dependencies": {
-    "csrf-csrf": "2.2.0",
+    "csrf-csrf": "2.2.1",
     "express": "^4.18.1",
     "cookie-parser": "^1.4.6"
   }

diff --git a/example/simple/src/index.js b/example/simple/src/index.js
@@ -10,7 +10,7 @@ const port = 5555;
 // In production, ensure you're using cors and helmet and have proper configuration.
 const { generateToken, doubleCsrfProtection } = doubleCsrf({
   getSecret: () => "this is a test", // NEVER DO THIS
-  cookieName: "x-csrf-test", // Prefer HOST__ prefixed names if possible
+  cookieName: "x-csrf-test", // Prefer "__Host-" prefixed names if possible
   cookieOptions: { sameSite: false, secure: false, signed: true }, // not ideal for production, development only
 });
 

diff --git a/src/index.ts b/src/index.ts
@@ -61,7 +61,7 @@ export interface DoubleCsrfUtilities {
 
 export function doubleCsrf({
   getSecret,
-  cookieName = "Host__psifi.x-csrf-token",
+  cookieName = "__Host-psifi.x-csrf-token",
   cookieOptions: {
     httpOnly = true,
     sameSite = "lax",

diff --git a/src/tests/testsuite.ts b/src/tests/testsuite.ts
@@ -30,7 +30,7 @@ export const createTestSuite: CreateTestsuite = (name, doubleCsrfOptions) => {
     } = doubleCsrf({ ...doubleCsrfOptions });
 
     const {
-      cookieName = "Host__psifi.x-csrf-token",
+      cookieName = "__Host-psifi.x-csrf-token",
       cookieOptions: {
         signed = false,
         path = "/",