MEDIUM: CSRF cookie defaults to httpOnly=false - XSS bypasses CSRF protection #80
Labels
No Label
architecture
backend
bug
feature
frontend
priority:critical
priority:high
priority:low
priority:medium
priority:nice-to-have
ux
No Milestone
No project
No Assignees
1 Participants
Notifications
Due Date
No due date set.
Dependencies
No dependencies set.
Reference: null/BillTracker#80
Loading…
Reference in New Issue
No description provided.
Delete Branch "%!s(<nil>)"
Deleting a branch is permanent. Although the deleted branch may continue to exist for a short time before it actually gets removed, it CANNOT be undone in most cases. Continue?
Bug Description
The CSRF cookie defaults to httpOnly: false (controlled by CSRF_HTTP_ONLY env var, which defaults to false). This is intentional for SPA architectures where JavaScript reads the CSRF token from the cookie. However, this means any XSS vulnerability can read the CSRF token from document.cookie and bypass CSRF protection entirely.
The code comments acknowledge this tradeoff (middleware/csrf.js:15-17).
Affected Files
Impact
If any XSS vulnerability exists in the app, CSRF protection is completely negated since the token is accessible to JavaScript.
Recommended Fix
Consider migrating to double-submit cookie pattern where the CSRF token is set in a separate httpOnly cookie and sent via a custom header (which JavaScript can set but not read). Alternatively, add Content-Security-Policy headers to reduce XSS risk.
closed