Does PWA support CSRF ?

[RimelMj]

I am currently working on a project using PWA Venia and would like to inquire about its support for CSRF (Cross-Site Request Forgery) protection. Specifically, does Venia include built-in CSRF handling mechanisms, or are there recommended best practices for implementing CSRF protection within the framework?

Your guidance will be greatly appreciated. Thank you in advance for your support!

[m2-assistant]

Hi @RimelMj. Thank you for your report.
To speed up processing of this issue, make sure that you provided sufficient information.
Add a comment to assign the issue: @magento I am working on this

---

Join Magento Community Engineering Slack and ask your questions in #github channel.

[RimelMj]

@magento I am working on this

[m2-assistant]

Hi @RimelMj! 👋
Thank you for collaboration. Only members of Community Contributors Team are allowed to be assigned to the issue. Please use @magento add to contributors team command to join Contributors team.

[RimelMj]

@magento add to contributors team

[m2-assistant]

Hi @RimelMj! 👋
Thank you for joining. Please accept team invitation 👉 here 👈 and add your comment one more time.

[RimelMj]

I am currently working on a project using PWA Venia and would like to inquire about its support for CSRF (Cross-Site Request Forgery) protection. Specifically, does Venia include built-in CSRF handling mechanisms, or are there recommended best practices for implementing CSRF protection within the framework?

Your guidance will be greatly appreciated. Thank you in advance for your support!

[glo82145]

@adobe export issue to Jira project PWA

[github-jira-sync-bot]

✅ Jira issue https://jira.corp.adobe.com/browse/PWA-3627 is successfully created for this GitHub issue.

[del15881]

Hi, @RimelMj

Thanks for raising this question.

After reviewing the current PWA Studio/Venia codebase and documentation,
it appears that Venia does not implement any built-in CSRF protection mechanisms.
Venia relies primarily on GraphQL requests (usually sent via fetch) and does not
automatically include CSRF tokens, form keys, or any anti-CSRF headers.
UPWARD acts only as a request-routing and proxy layer.

Before suggesting potential approaches, it would help if you could share a bit more about your use case:

• Which operations in Venia do you want to protect with CSRF?

Understanding where and how you intend to apply CSRF protection will help us recommend the most
appropriate solution or potential enhancement path in PWA Studio.

Thanks