CSRF Protection

CSRF Protection Middleware prevents CSRF attacks by checking request headers.

This middleware protects against CSRF attacks such as submitting with a form element by comparing the value of the Origin header with the requested URL.

Old browsers that do not send Origin headers, or environments that use reverse proxies to remove Origin headers, may not work well. In such environments, use the other CSRF token methods.

Import

import { Hono } from 'hono'
import { csrf } from 'hono/csrf'

Usage

const app = new Hono()

app.use(csrf())

// Specifying origins with using `origin` option
// string
app.use(csrf({ origin: 'myapp.example.com' }))

// string[]
app.use(
  csrf({
    origin: ['myapp.example.com', 'development.myapp.example.com'],
  })
)

// Function
// It is strongly recommended that the protocol be verified to ensure a match to `$`.
// You should *never* do a forward match.
app.use(
  '*',
  csrf({
    origin: (origin) =>
      /https:\/\/(\w+\.)?myapp\.example\.com$/.test(origin),
  })
)

Options

optional origin: `string` | `string[]` | `Function`

Specify origins.

CSRF Protection ​

Import ​

Usage ​

Options ​

optional origin: string | string[] | Function ​

CSRF Protection

Import

Usage

Options

optional origin: `string` | `string[]` | `Function`