[bug] README.md does not mention the need to keep the CSRF key secret

Question

[bug] README.md does not mention the need to keep the CSRF key secret

maxximino opened this issue 3 years ago · 1 comments

Describe the bug

A clear and concise description of what the bug is.
The README.md at https://github.com/gorilla/csrf does not mention the need to keep the CSRF token secret.

In particular the part between..."gorilla/csrf is easy to use: add the middleware to your router with the below:
....
Note that the authentication key passed to csrf.Protect([]byte(key)) should be 32-bytes long and persist across application restarts. "

I think it would be more novice-friendly to mention that the CSRF token should be kept secret and not hardcoded into the source code (especially for open source applications). The example with the hardcoded key should be considered just as a proof-of-concept.

I suggest this phrasing:
"Note that the authentication key passed to csrf.Protect([]byte(key)) should:

be 32-bytes long
persist across application restarts
kept secret from potential malicious users - e.g. do not hardcode it into the source code, especially for open-source applications."

Answer 1 · 2021-05-28T20:47:21.000Z

Agree - would you like to submit a PR?