npm install tough-cookie
99.5
Supply Chain Risk
100
Quality
90.1
Maintenance
100
Vulnerability
923 Stars
612 Commits
198 Forks
48 Watching
47 Branches
65 Contributors
Updated on 12 Sept 2024
Minified
Minified + Gzipped
TypeScript (67.07%)
JavaScript (32.91%)
EJS (0.02%)
Cumulative downloads
Total Downloads
Last day
2.5%
7,380,459
Compared to previous day
Last week
5.7%
38,816,463
Compared to previous week
Last month
-1.8%
161,143,521
Compared to previous month
Last year
-7.7%
1,921,043,452
Compared to previous year
A Node.js implementation of RFC6265 for cookie parsing, storage, and retrieval.
Install Tough Cookie using npm
:
npm install tough-cookie
or yarn
:
yarn add tough-cookie
import { Cookie, CookieJar } from 'tough-cookie' // parse a `Cookie` request header const reqCookies = 'ID=298zf09hf012fh2; csrf=u32t4o3tb3gg43; _gat=1'.split(';').map(Cookie.parse) // generate a `Cookie` request header const cookieHeader = reqCookies.map(cookie => cookie.cookieString()).join(';') // parse a Set-Cookie response header const resCookie = Cookie.parse('foo=bar; Domain=example.com; Path=/; Expires=Tue, 21 Oct 2025 00:00:00 GMT') // generate a Set-Cookie response header const setCookieHeader = cookie.toString() // store and retrieve cookies const cookieJar = new CookieJar() // uses the in-memory store by default await cookieJar.setCookie(resCookie, 'https://example.com/') const matchingCookies = await cookieJar.getCookies('https://example.com/')
[!IMPORTANT] For more detailed usage information, refer to the API docs.
Support for RFC6265bis is being developed. As these revisions to RFC6252 are
still in Active Internet-Draft
state, the areas of support that follow are subject to change.
This change makes it possible for servers, and supporting clients, to mitigate certain types of CSRF
attacks by disallowing SameSite
cookies from being sent cross-origin.
import { CookieJar } from 'tough-cookie' const cookieJar = new CookieJar() // uses the in-memory store by default // storing cookies with various SameSite attributes await cookieJar.setCookie('strict=authorized; SameSite=strict', 'http://example.com/index.html') await cookieJar.setCookie('lax=okay; SameSite=lax', 'http://example.com/index.html') await cookieJar.setCookie('normal=whatever', 'http://example.com/index.html') // retrieving cookies using a SameSite context const laxCookies = await cookieJar.getCookies('http://example.com/index.html', { // the first cookie (strict=authorized) will not be returned if the context is 'lax' // but the other two cookies will be returned sameSiteContext: 'lax', })
[!NOTE] It is highly recommended that you read RFC6265bis - Section 8.8 for more details on SameSite cookies, security considerations, and defense in depth.
Cookie prefixes are a way to indicate that a given cookie was set with a set of attributes simply by inspecting the first few characters of the cookie's name.
Two prefixes are defined:
"__Secure-"
If a cookie's name begins with a case-sensitive match for the string __Secure-
, then the cookie was set with a "Secure" attribute.
"__Host-"
If a cookie's name begins with a case-sensitive match for the string __Host-
, then the cookie was set with a "Secure" attribute, a "Path" attribute with a value of "/", and no "Domain" attribute.
If prefixSecurity
is enabled for CookieJar
, then cookies that match the prefixes defined above but do
not obey the attribute restrictions are not added.
You can define this functionality by passing in the prefixSecurity
option to CookieJar
. It can be one of 3 values:
silent
: (default) Enable cookie prefix checking but silently fail to add the cookie if conditions are not met.strict
: Enable cookie prefix checking and error out if conditions are not met.unsafe-disabled
: Disable cookie prefix checking.If
ignoreError
is passed in astrue
when setting a cookie then the error is silent regardless of theprefixSecurity
option (assuming it's enabled).
import { CookieJar, MemoryCookieStore } from 'tough-cookie' const cookieJar = new CookieJar(new MemoryCookieStore(), { prefixSecurity: 'silent' }) // this cookie will be silently ignored since the url is insecure (http) await cookieJar.setCookie( '__Secure-SID=12345; Domain=example.com; Secure;', 'http://example.com', ) // this cookie will be stored since the url is secure (https) await cookieJar.setCookie( '__Secure-SID=12345; Domain=example.com; Secure;', 'https://example.com', )
[!NOTE] It is highly recommended that you read RFC6265bis - Section 4.1.3 for more details on Cookie Prefixes.
We follow the Node.js release schedule and support all versions that are in Active LTS or Maintenance. We will always do a major release when dropping support for older versions of node, and we will do so in consultation with our community.
Reason
18 commit(s) and 0 issue activity found in the last 90 days -- score normalized to 10
Reason
license file detected
Details
Reason
no dangerous workflow patterns detected
Reason
GitHub workflow tokens follow principle of least privilege
Details
Reason
no binaries found in the repo
Reason
Found 14/15 approved changesets -- score normalized to 9
Reason
security policy file detected
Details
Reason
1 existing vulnerabilities detected
Details
Reason
dependency not pinned by hash detected -- score normalized to 3
Details
Reason
no effort to earn an OpenSSF best practices badge detected
Reason
project is not fuzzed
Details
Reason
SAST tool is not run on all commits -- score normalized to 0
Details
Score
Last Scanned on 2024-09-02
The Open Source Security Foundation is a cross-industry collaboration to improve the security of open source software (OSS). The Scorecard provides security health metrics for open source projects.
Learn More