🚧 This documentation is work in progress and for an unreleased version of Fresh.
csrf
The csrf()
middleware can be used to add safguard against
Cross-Site Request Forgery vulnerabilities.
It checks if the user is allowed to load the requested URL based on the values
in the
Sec-Fetch-Site
header and
Origin
header. to HTTP requests. These allow the server to indicate which origins
(domains, scheme or port) other than its own is permitted to load resources
from.
const app = new App();
app.use(csrf());
// Specify a single origin
app.use(csrf({ origin: "https://example.com" }));
// Specify multiple origins
app.use(
csrf({ origin: ["https://example.com", "https://trusted.example.com"] }),
);
// Specify multiple origins
app.use(
csrf({ origin: ["https://example.com", "https://trusted.example.com"] }),
);
// Use a function
app.use(
csrf({
origin: (origin) => /^https:\/\/(foo|bar)\.example\.com$/.test(origin),
}),
);