Advisories for Npm/Fastify-Csrf package

2021

Reliance on Cookies without Validation and Integrity Checking

fastify-csrf is an open-source plugin helps developers protect their Fastify server against CSRF attacks.

Cross-Site Request Forgery (CSRF)

The generated cookie uses insecure defaults, and does not have the httpOnly flag on cookieOpts: { path: '/', sameSite: true }. Additionally, the CSRF token is available in the GET query parameter.