admin/goodgo-platform
1
0
Fork 0
Code Issues Pull Requests Actions Packages Projects Releases Wiki Activity

feat(security): add CSRF double-submit cookie protection

Browse Source 
Add CSRF middleware with double-submit cookie pattern for all
state-changing requests. Integrate cookie-parser, update CORS
headers, and add client-side CSRF token handling.

Co-Authored-By: Paperclip <noreply@paperclip.ing>
This commit is contained in:
Ho Ngoc Hai
2026-04-08 05:03:24 +07:00
parent 2a392525a2
commit e5f370ced1
5 changed files with 103 additions and 1 deletions
Download Patch File Download Diff File Expand all files Collapse all files

6
apps/api/src/main.ts
View File

@@ -2,6 +2,7 @@ import { NestFactory } from '@nestjs/core';
import { ValidationPipe } from '@nestjs/common';
import { DocumentBuilder, SwaggerModule } from '@nestjs/swagger';
import { LoggerService } from '@modules/shared';
import cookieParser from 'cookie-parser';
import helmet from 'helmet';
import { AppModule } from './app.module';
@@ -58,6 +59,9 @@ async function bootstrap() {
}),
);
// ── Cookie Parser (required for CSRF double-submit pattern) ──
app.use(cookieParser());
// ── CORS ──
const allowedOrigins = (process.env['CORS_ORIGINS'] ?? 'http://localhost:3000')
.split(',')
@@ -65,7 +69,7 @@ async function bootstrap() {
app.enableCors({
origin: allowedOrigins,
methods: ['GET', 'POST', 'PUT', 'PATCH', 'DELETE', 'OPTIONS'],
allowedHeaders: ['Content-Type', 'Authorization', 'X-Correlation-Id'],
allowedHeaders: ['Content-Type', 'Authorization', 'X-Correlation-Id', 'X-CSRF-Token'],
exposedHeaders: ['X-Correlation-Id'],
credentials: true,
maxAge: 86400,