Does t3 stack implement csrf protection?
Using csrf tokens for example?
8 Replies
It looks like next auth has csrf protection but only for authentication routes (signin/signout etc). How does t3, if at all, protect our app from csrf? Without protection, that means if I'm currently logged in and someone sends me a malicious link and I click it, they will be able to send a post request to https://mysite.xyz/api/trpc/todo.deleteToDo?batch=1 and do a mutation
Probably need to do it manually yourself for your mutations
Damn, really?
I'm surprised that this community doesn't talk about it at all
Let’s a lot of things which already reduce the attack vector for csrf
For example restricting CORS for your trpc endpoint
But the safest method of generating tokens to prevent csrf doesn’t seem to have an ooo solution in trpc nor react query afaik
As far as I’m aware, the t3 stack itself does not implement CSRF protections, so that’s something you’d need to implement yourself.
I personally had a difficult time finding examples online. Essentially, what it boils down to (as I understand) is your server will need to set a non-HTTP cookie, which will need to be read on the client side and passed as a custom header to the backend. What I did in my implementation is set the cookie (say csrf-token) on the login route and then using the tRPC client, read in the cookie and send it along in a custom header (x-csrf-token) with every request. Of course, you’ll need some way to validate the CSRF token in the backend, preferably as a middleware.
Hope that helps!
Yes @Endgame1013 what you're mentioning is the double cookie submit pattern. I was just wondering if t3 already takes care of it. Do you mind sharing the code for that?
I've done it with FastAPI (Python) but never with TS
For sure, sorry this is a bit late: https://github.com/nick-cheatwood7/csrf-example
GitHub
GitHub - nick-cheatwood7/csrf-example
Contribute to nick-cheatwood7/csrf-example development by creating an account on GitHub.
Thanks!