CSRF (and csurf) in 2024

[TCNOco]

csurf is still one if if not the most downloaded and widely used CSRF protection middleware on NPM source with over 330,000 weekly downloads...

Yet express.js/csurf has not been updated in the last 4 years+. The reason being a "large influx of security vulunerability reports received". From what I can tell Snyk comes up a lot
... However checking the pages referred to in discussions I see "Amendment This was deemed not a vulnerability." and 404s for the posts talking about "vulnerabilities in csrf", such as this one.

It's sad to see such a widely used package shut down because of such issues... and what it seems accusations that later were amended. I may be missing something massive, however.

With the rise of AI, such as Github Copilot I see a lot of suggestions for csurf.

Heck, I have the Snyk extension installed in VSCode, and the "⚠️ Medium Severity | Cross-Site Request Forgery (CSRF) | Priority Score 570 | Vulnerability: CWE-352". The extension gives me some examples of "solutions"... Here are some excerpts:

Every "solution" includes csurf. A 4-year depreciated package.

---

I'm overwhelmed with my own projects, job and more so I can understand how being beat down relentlessly destroys such an open-source package, and I can sympathise with the developers...

But: What package are people using now? What is going to replace csurf?

I am very out of the loop with all of this.

[jonchurch]

Currently, you can still use csurf even though it is in deprecated mode. If the package accomplishes the job you need it to, use it.

Im catching up here to see if there is any signal in the noise of snyk reports. But I think you miss an important part of the issue at hand OP, which is that the snyk reports' quality is considered very low and noisey.

What I mean is, looking st snyk reports in vscode and implementing their suggestions blindly is the opposite of what work (if any) needs to be done here. Edit: I see your screenshots are not from csurf itself, but from application code and snyk is recommending using csurf to fix issues in your app. You can still take those recommendations, but you should evaluate if the vuln they are suggesting your app has is actually valid for your use cases.

[wesleytodd]

FWIW there are real issues with this package today. It is not really impactful for all usage but the security issues are not bogus. If I had a recommendation for today it would be to remove the package from your projects and then for us to deprecate all existing versions. Then as we get things back into a functional place to maintain it we fix the issues and release a new major which would not be deprecated and we roll the folks lagging behind forward.

[TCNOco]

This is very true. I wouldn't blindly follow Snyk reports, but I mention it in particular (especially it suggesting to use csurf) because from what I understand the reports and info from Snyk were one of the reasons this project was left behind. I may be wrong but it's just what I gather from what limited info I've seen. I don't know if there was an official post about csurf's deprecation that detailed exactly why it is being left in its current state.

I'm happy to hear development may resume in the future. For now, do you recommend any packages in place of csurf, @wesleytodd ?

[wesleytodd]

I do not. Fastify has fixed all the same issues in theirs, but I don't believe that works with express.

[Faridalim]

I hope we have good replacement for csurf. I want to help but i dont have enough knowledge in security. I will attempt to create one though since need it for apps.