sergiodxa · Copilot · Mar 24, 2026 · Mar 24, 2026 · Mar 24, 2026 · Mar 24, 2026
diff --git a/src/server/csrf.test.ts b/src/server/csrf.test.ts
@@ -131,6 +131,21 @@ describe("CSRF", () => {
 		);
 	});
 
+	test("rejects CSRF tokens signed with a different secret", async () => {
+		let token = new CSRF({ cookie, secret: "my-secret" }).generate();
+
+		let formData = new FormData();
+		formData.set("csrf", token);
+
+		let headers = new Headers({
+			cookie: await cookie.serialize(token),
+		});
+
+		expect(
+			new CSRF({ cookie, secret: "different-secret" }).validate(formData, headers),
+		).rejects.toThrow(new CSRFError("tampered_token_in_cookie", "Tampered CSRF token in cookie."));
+	});
+
 	test("commits the token to a cookie", async () => {
 		let [token, cookieHeader] = await csrf.commitToken();
 		let parsedCookie = await cookie.parse(cookieHeader);

diff --git a/src/server/csrf.ts b/src/server/csrf.ts
@@ -173,7 +173,8 @@
  * @author [Sergio Xalambrí](https://sergiodxa.com)
  * @module Server/CSRF
  */
-import { sha256 } from "@oslojs/crypto/sha2";
+import { hmac } from "@oslojs/crypto/hmac";
+import { SHA256 } from "@oslojs/crypto/sha2";
 import { encodeBase64url } from "@oslojs/encoding";
 import type { Cookie } from "react-router";
 import { randomString } from "../common/crypto.js";
@@ -343,7 +344,8 @@ export class CSRF {
 
 	private sign(token: string) {
 		if (!this.secret) return token;
-		return encodeBase64url(sha256(new TextEncoder().encode(token)));
+		let encoder = new TextEncoder();
+		return encodeBase64url(hmac(SHA256, encoder.encode(this.secret), encoder.encode(token)));
 	}
 
 	private verifySignature(token: string) {