Affected versions of the fastify-csrf
package are vulnerable to Cross-site Request Forgery (CSRF). The generated cookie used insecure defaults, and did not have the httpOnly
flag on: cookieOpts: { path: '/', sameSite: true }
. Also, the CSRF token was available in the GET query parameter.
Upgrade to patched 3.0.0 or later