Fix a timing attack issue with CSRF token validation. #393

katanacrimson · 2020-02-01T14:53:10Z

Replacing the lazy string comparison with a constant-time string comparison provided by nodejs's internal crypto module.

crypto.timingSafeEqual (a constant-time string comparison method) should be used for sensitive comparisons to avoid providing an opening for timing attacks.

Fix a timing attack issue with CSRF token validation.

37fde81

crypto.timingSafeEqual (a constant-time string comparison method) should be used for sensitive comparisons to avoid providing an opening for timing attacks.

Provide feedback

Saved searches

Use saved searches to filter your results more quickly

Fix a timing attack issue with CSRF token validation. #393

Fix a timing attack issue with CSRF token validation. #393

katanacrimson commented Feb 1, 2020

Fix a timing attack issue with CSRF token validation. #393

Are you sure you want to change the base?

Fix a timing attack issue with CSRF token validation. #393

Conversation

katanacrimson commented Feb 1, 2020