Best practice for the csrf token and secret (signed? httponly?)

[mrkchang]

For the CSRF secret, what the best practice for 1) signed and 2) httponly?
For the CSRF token, what the best practice for 1) signed and 2) httponly?
Why doesn't the module automatically parse the request cookies instead of the the developer having to manually add the token in the header?

[dougwilson]

For the CSRF secret, what the best practice for 1) signed and 2) httponly?

Whatever the most secure you can set for your environment. If you can also enable samesite and secure in addition, even better. Enable as much as possible for your environment.

For the CSRF token, what the best practice for 1) signed and 2) httponly?
Why doesn't the module automatically parse the request cookies instead of the the developer having to manually add the token in the header?

The token itself cannot be inside a cookie, as the purpose of csrf is to solve the issue that web browsers automatically include cookies in requests. The token needs to be specifically included for csrf protection to work as it is designed. That is not specific to this module. You can read more on owasp 👍