feat: allow csrf to disable sharing of token via cookie

adonisjs · Mar 6, 2020 · 95399d7 · 95399d7
1 parent d16ae22
commit 95399d7
Showing 1 changed file with 16 additions and 0 deletions.
diff --git a/templates/shield.txt b/templates/shield.txt
@@ -128,6 +128,22 @@ export const csrf: ShieldConfig['csrf'] = {
   */
   exceptRoutes: [],
 
+  /*
+  |--------------------------------------------------------------------------
+  | Enable Sharing Token Via Cookie
+  |--------------------------------------------------------------------------
+  |
+  | When the following flag is enabled, AdonisJS will drop `XSRF-TOKEN`
+  | cookie that frontend frameworks can read and return back as a
+  | `X-XSRF-TOKEN` header.
+  |
+  | The cookie has `httpOnly` flag set to false, so it is little insecure and
+  | can be turned off when you are not using a frontend framework making
+  | AJAX requests.
+  |
+  */
+  enableXsrfCookie: true,
+
   /*
   |--------------------------------------------------------------------------
   | Methods to Validate