Skip to content
This repository has been archived by the owner on Oct 18, 2020. It is now read-only.

Fix a timing attack issue with CSRF token validation. #393

Open
wants to merge 1 commit into
base: master
Choose a base branch
from
Open

Fix a timing attack issue with CSRF token validation. #393

wants to merge 1 commit into from

Conversation

katanacrimson
Copy link

Replacing the lazy string comparison with a constant-time string comparison provided by nodejs's internal crypto module.

crypto.timingSafeEqual (a constant-time string comparison method)
should be used for sensitive comparisons to avoid providing an opening
for timing attacks.
Sign up for free to subscribe to this conversation on GitHub. Already have an account? Sign in.
Labels
None yet
Projects
None yet
Development

Successfully merging this pull request may close these issues.

1 participant