Skip to content
This repository was archived by the owner on Oct 18, 2020. It is now read-only.

Fix a timing attack issue with CSRF token validation.#393

Open
katanacrimson wants to merge 1 commit intosilverwind:masterfrom
katanacrimson:csrf-constant-time-comparison
Open

Fix a timing attack issue with CSRF token validation.#393
katanacrimson wants to merge 1 commit intosilverwind:masterfrom
katanacrimson:csrf-constant-time-comparison

Conversation

@katanacrimson
Copy link
Copy Markdown

@katanacrimson katanacrimson commented Feb 1, 2020

Replacing the lazy string comparison with a constant-time string comparison provided by nodejs's internal crypto module.

@katanacrimson
Fix a timing attack issue with CSRF token validation.
37fde81 
crypto.timingSafeEqual (a constant-time string comparison method)
should be used for sensitive comparisons to avoid providing an opening
for timing attacks.
Sign up for free to subscribe to this conversation on GitHub. Already have an account? Sign in.

Reviewers

No reviews

Assignees

No one assigned

Labels

None yet

Projects

None yet

Milestone

No milestone

Development

Successfully merging this pull request may close these issues.

1 participant

@katanacrimson