fix: update default cookie name

psibean · psibean · commit 8f1ce8db97d9 · 2022-10-08T18:15:38.000+10:30
The default cookie name and README recommendation was incorrect.
The recommended prefix is not "Host__", but "__Host-".
A minor security advisory will be released for this issue.
It isn't a huge vulnerability as there are workarounds available,
e.g. you can set your own cookieName.
diff --git a/README.md b/README.md
@@ -154,7 +154,7 @@ When creating your csrfSync, you have a few options available for configuration,
 ```js
 const doubleCsrfUtilities = doubleCsrf({
   getSecret, // A function that optionally takes the request and returns a secret
-  cookieName = "Host__psifi.x-csrf-token", // The name of the cookie to be used, recommend using Host prefix.
+  cookieName = "__Host-psifi.x-csrf-token", // The name of the cookie to be used, recommend using Host prefix.
   cookieOptions: {
     httpOnly = true,
     sameSite = "lax",  // Recommend you make this strict if posible
diff --git a/example/complete/package.json b/example/complete/package.json
@@ -12,7 +12,7 @@
   "license": "ISC",
   "dependencies": {
     "cookie-parser": "^1.4.6",
-    "csrf-csrf": "2.2.0",
+    "csrf-csrf": "2.2.1",
     "express": "^4.18.1"
   }
 }
diff --git a/example/simple/package.json b/example/simple/package.json
@@ -11,7 +11,7 @@
   "author": "psibean",
   "license": "ISC",
   "dependencies": {
-    "csrf-csrf": "2.2.0",
+    "csrf-csrf": "2.2.1",
     "express": "^4.18.1",
     "cookie-parser": "^1.4.6"
   }
diff --git a/example/simple/src/index.js b/example/simple/src/index.js
@@ -10,7 +10,7 @@ const port = 5555;
 // In production, ensure you're using cors and helmet and have proper configuration.
 const { generateToken, doubleCsrfProtection } = doubleCsrf({
   getSecret: () => "this is a test", // NEVER DO THIS
-  cookieName: "x-csrf-test", // Prefer HOST__ prefixed names if possible
+  cookieName: "x-csrf-test", // Prefer "__Host-" prefixed names if possible
   cookieOptions: { sameSite: false, secure: false, signed: true }, // not ideal for production, development only
 });
 
diff --git a/src/index.ts b/src/index.ts
@@ -61,7 +61,7 @@ export interface DoubleCsrfUtilities {
 
 export function doubleCsrf({
   getSecret,
-  cookieName = "Host__psifi.x-csrf-token",
+  cookieName = "__Host-psifi.x-csrf-token",
   cookieOptions: {
     httpOnly = true,
     sameSite = "lax",
diff --git a/src/tests/testsuite.ts b/src/tests/testsuite.ts
@@ -30,7 +30,7 @@ export const createTestSuite: CreateTestsuite = (name, doubleCsrfOptions) => {
     } = doubleCsrf({ ...doubleCsrfOptions });
 
     const {
-      cookieName = "Host__psifi.x-csrf-token",
+      cookieName = "__Host-psifi.x-csrf-token",
       cookieOptions: {
         signed = false,
         path = "/",

Original file line number	Diff line number	Diff line change
`@@ -12,7 +12,7 @@`
`12`	`12`	`"license": "ISC",`
`13`	`13`	`"dependencies": {`
`14`	`14`	`"cookie-parser": "^1.4.6",`
`15`		`- "csrf-csrf": "2.2.0",`
	`15`	`+ "csrf-csrf": "2.2.1",`
`16`	`16`	`"express": "^4.18.1"`
`17`	`17`	`}`
`18`	`18`	`}`
Original file line number	Diff line number	Diff line change
`@@ -11,7 +11,7 @@`
`11`	`11`	`"author": "psibean",`
`12`	`12`	`"license": "ISC",`
`13`	`13`	`"dependencies": {`
`14`		`- "csrf-csrf": "2.2.0",`
	`14`	`+ "csrf-csrf": "2.2.1",`
`15`	`15`	`"express": "^4.18.1",`
`16`	`16`	`"cookie-parser": "^1.4.6"`
`17`	`17`	`}`