CSRF Protection #471
Closed
FredKSchott
started this conversation in
Proposal
Replies: 3 comments
-
Was about to post a new proposal on this! Would be a good default. // should probably check for OPTIONS, HEAD, and TRACE
if (context.request.method !== "GET") {
const originHeader = request.headers.get("Origin");
const hostHeader = request.headers.get("Header");
if (!originHeader || !hostHeader) {
return new Response(null, {
status: 403
});
}
const originHostname = safeParseURL(originHeader).hostname;
const hostHostname = safeParseURL(hostHeader).hostname;
if (!originHostname || !hostHostname || originHostname !== hostHostname) {
return new Response(null, {
status: 403
});
}
} |
Beta Was this translation helpful? Give feedback.
0 replies
-
Svelte Kit's implementation is here (thanks @bluwy) https://github.com/sveltejs/kit/blob/2a302b26d6f8c9d46c59852c3f8f25e387e30876/packages/kit/src/runtime/server/respond.js#L61-L80 Here's a comprehensive Cross-Site Request Forgery Prevention Cheat Sheet for reference. |
Beta Was this translation helpful? Give feedback.
0 replies
-
Closing as accepted |
Beta Was this translation helpful? Give feedback.
0 replies
Sign up for free
to join this conversation on GitHub.
Already have an account?
Sign in to comment
-
Body
https://kit.svelte.dev/docs/configuration#csrf
SvelteKit and Qwik have this idea of CSRF protection built in. From the SvelteKit docs:
This makes a lot of sense, and probably is fairly easy to add. It would be a breaking change though, so would need to be off-by-default until 3.0
Beta Was this translation helpful? Give feedback.
All reactions