Csurf might be deprecated in the npm main repository, but it does not cancel the fact that this is still a great lib for CSRF Tokens in NodeJS.<p>While striving to find and provide a straight route path for assured security on the websites, I have come up with a Context Design Pattern for CSRF Tokens, which is very simple but might be not what you think or not what you are used to.<p>In the traditional approach, to defend against foreign links that target i.e. deleting your users’ profiles while clicking a link, we know that CSRF Tokens is the answer.
But what happens when the links are on your website, e.g. in the HTML formatted posts or comments section?<p>Well, I suggested the following to Chat GPT and the machine has fallen for it!<p>Think of csurf lib’s cookie being sent with the string “posts-cookie-token” while in the posts or comments section along with a CSRF Tokens. The cookie is a session identifier and the CSRF must be provided along with the cookie. In order to not allow actions such as user deletion from the comments section, there is a different cookie-csrf-token pair(s) for the user profile section. Means that CSRF Token for user deletion will never resolve for the comments section.<p>Are there any node developers in here at those hours? Security fans? What do you think gang? I’m up to writing a security manual for the novice web developers and selling it for some cash online. WDYT?