MEDIUM: CSRF cookie defaults to httpOnly=false - XSS bypasses CSRF protection #80

Closed
opened 2026-05-31 12:03:55 -05:00 by null · 1 comment
Owner

Bug Description

The CSRF cookie defaults to httpOnly: false (controlled by CSRF_HTTP_ONLY env var, which defaults to false). This is intentional for SPA architectures where JavaScript reads the CSRF token from the cookie. However, this means any XSS vulnerability can read the CSRF token from document.cookie and bypass CSRF protection entirely.

The code comments acknowledge this tradeoff (middleware/csrf.js:15-17).

Affected Files

  • middleware/csrf.js:12-35
  • .env.example (documented but defaults to false)

Impact

If any XSS vulnerability exists in the app, CSRF protection is completely negated since the token is accessible to JavaScript.

Consider migrating to double-submit cookie pattern where the CSRF token is set in a separate httpOnly cookie and sent via a custom header (which JavaScript can set but not read). Alternatively, add Content-Security-Policy headers to reduce XSS risk.

## Bug Description The CSRF cookie defaults to httpOnly: false (controlled by CSRF_HTTP_ONLY env var, which defaults to false). This is intentional for SPA architectures where JavaScript reads the CSRF token from the cookie. However, this means any XSS vulnerability can read the CSRF token from document.cookie and bypass CSRF protection entirely. The code comments acknowledge this tradeoff (middleware/csrf.js:15-17). ## Affected Files - middleware/csrf.js:12-35 - .env.example (documented but defaults to false) ## Impact If any XSS vulnerability exists in the app, CSRF protection is completely negated since the token is accessible to JavaScript. ## Recommended Fix Consider migrating to double-submit cookie pattern where the CSRF token is set in a separate httpOnly cookie and sent via a custom header (which JavaScript can set but not read). Alternatively, add Content-Security-Policy headers to reduce XSS risk.
null added the
priority:medium
backend
bug
labels 2026-05-31 12:03:55 -05:00
Author
Owner

closed

closed
null closed this issue 2026-05-31 15:55:29 -05:00
Sign in to join this conversation.
No Milestone
No project
No Assignees
1 Participants
Notifications
Due Date
The due date is invalid or out of range. Please use the format 'yyyy-mm-dd'.

No due date set.

Dependencies

No dependencies set.

Reference: null/BillTracker#80
No description provided.