Security csrf critical
CSRF Protection Patterns
Prevent cross-site request forgery attacks with tokens, SameSite cookies, and origin validation.
- Difficulty
- intermediate
- Read time
- 1 min read
- Version
- v1.0.0
- Confidence
- established
- Last updated
Quick Reference
CSRF: Use SameSite=Lax cookies (default protection). Add CSRF tokens for state-changing forms. Validate Origin/Referer headers. Double-submit cookie pattern for SPAs. Server Actions in Next.js have built-in CSRF protection. Always use POST for mutations.
Use When
- Web applications with cookies
- Session-based authentication
- Forms with state changes
- Multi-page applications
Skip When
- API-only with Bearer tokens
- Stateless JWT authentication
- Mobile applications
CSRF Protection Patterns
Prevent cross-site request forgery attacks with tokens, SameSite cookies, and origin validation.