Skip to content

CSRF Protection

CSRF Protection Middleware prevents CSRF attacks by checking request headers.

This middleware protects against CSRF attacks such as submitting with a form element by comparing the value of the Origin header with the requested URL.

Old browsers that do not send Origin headers, or environments that use reverse proxies to remove Origin headers, may not work well. In such environments, use the other CSRF token methods.

Import

ts
import { Hono } from 'hono'
import { csrf } from 'hono/csrf'
import { Hono } from 'hono'
import { csrf } from 'hono/csrf'
ts
import { Hono } from 'https://deno.land/x/hono/mod.ts'
import { csrf } from 'https://deno.land/x/hono/middleware.ts'
import { Hono } from 'https://deno.land/x/hono/mod.ts'
import { csrf } from 'https://deno.land/x/hono/middleware.ts'

Usage

ts
const app = new Hono()

app.use(csrf())

// Specifying origins with using `origin` option
// string
app.use(csrf({ origin: 'myapp.example.com' }))

// string[]
app.use(
  csrf({
    origin: ['myapp.example.com', 'development.myapp.example.com'],
  })
)

// Function
// It is strongly recommended that the protocol be verified to ensure a match to `$`.
// You should *never* do a forward match.
app.use(
  '*',
  csrf({
    origin: (origin) => /https:\/\/(\w+\.)?myapp\.example\.com$/.test(origin),
  })
)
const app = new Hono()

app.use(csrf())

// Specifying origins with using `origin` option
// string
app.use(csrf({ origin: 'myapp.example.com' }))

// string[]
app.use(
  csrf({
    origin: ['myapp.example.com', 'development.myapp.example.com'],
  })
)

// Function
// It is strongly recommended that the protocol be verified to ensure a match to `$`.
// You should *never* do a forward match.
app.use(
  '*',
  csrf({
    origin: (origin) => /https:\/\/(\w+\.)?myapp\.example\.com$/.test(origin),
  })
)

Options

  • origin: string | string[] | Function
    • Specify origins.

Released under the MIT License.