Fresh logo
🚧 This documentation is work in progress and for an unreleased version of Fresh.

csrf

The csrf() middleware can be used to add safguard against Cross-Site Request Forgery vulnerabilities. It checks if the user is allowed to load the requested URL based on the values in the Sec-Fetch-Site header and Origin header. to HTTP requests. These allow the server to indicate which origins (domains, scheme or port) other than its own is permitted to load resources from.

Typescript main.ts
const app = new App();

app.use(csrf());

// Specify a single origin
app.use(csrf({ origin: "https://example.com" }));

// Specify multiple origins
app.use(
  csrf({ origin: ["https://example.com", "https://trusted.example.com"] }),
);

// Specify multiple origins
app.use(
  csrf({ origin: ["https://example.com", "https://trusted.example.com"] }),
);

// Use a function
app.use(
  csrf({
    origin: (origin) => /^https:\/\/(foo|bar)\.example\.com$/.test(origin),
  }),
);