I need to protect myself from XSS, CSRF or Broken authentication and session management vulnerabilities ?

Question

I need to protect myself from XSS, CSRF or Broken authentication and session management vulnerabilities ?

thomasop opened this issue a year ago · 1 comments

Hello, when I use iron-session in my authentication system must protect me against XSS, CSRF or Broken authentication and session management vulnerabilities? Or this is automatically handled by iron-session. In my application I use a form that the client fills in and the backend checks the user’s email and password and if everything is ok then creates this :

      req.session.user` = {
            id: 230,
            admin: true,
        };
       await req.session.save();

I just wanted to know if there is need to do more, thank you

Answer 1 · 2023-11-20T09:12:24.000Z

Hey there, the default settings of iron session are secure enough to be used in production as long as you follow the other security rules of the industry.

There's no automatic handling of XSS or CSRF in this library, you have to deal with that if you have security holes in your app.

iron-session goal is to provide a secure way to read and set sessions, everything else is on the user of the lib.

Good luck!

I just wanted to know if there is need to do more, thank you

From your example, you're good to go