Site icon API Security Blog

Vendure Cross Site Request Forgery vulnerability impacting all API requests

### Impact
Vendure is an e-commerce GraphQL framework with a number of APIs and different levels of
authorization. By default the Cookie settings are insecure, having the SameSite setting as false
which results in not having one (originates from the cookie-session npm package’s default
settings).

### Patches
In progress

### Workarounds
Manually set the `authOptions.cookieOptions.sameSite` configuration option to `’strict’`, `’lax’` or `true`.

### References
_Are there any links users can visit to find out more?_Read More

Exit mobile version