If you're developing locally over plain HTTP (without HTTPS), you'll need to turn off the Secure flag on the CSRF cookie else you'll get an error (because the cookie won't be sent back to the server).
http.ListenAndServe(":8000",
csrf.Protect([]byte("32-byte-long-auth-key"), csrf.Secure(false))(r))gorilla/csrf defaults to 'true' for the Secure and HttpOnly flags on the cookie for security reasons.
Note: remember to set it to true csrf.Secure(true) (or remove the option enitrely) in production.
Reference:
https://github.com/gorilla/csrf/issues/13
https://github.com/gorilla/csrf
No comments:
Post a Comment