RPC "use server" and CSRF Attacks
I’m looking to better understand the CSRF risks associated with SolidStart, specifically regarding the use of RPC calls with the
In Next.js, when I process a form with server actions, the risk of CSRF attacks is significantly reduced for a few reasons:
1. Server actions are limited to
2. Modern browsers enforce
3. I can further enhance security by ensuring that all cookies have the
With SolidStart, using
Given this, I believe the same three points regarding CSRF risk reduction should apply to SolidStart as well.
Am I correct in my understanding? If not, what potential CSRF risks should I be aware of when using RPC calls in SolidStart?
Thank you!
Chris
"use server" function.In Next.js, when I process a form with server actions, the risk of CSRF attacks is significantly reduced for a few reasons:
1. Server actions are limited to
POST requests.2. Modern browsers enforce
Same-Site cookies by default, which helps mitigate CSRF vulnerabilities.3. I can further enhance security by ensuring that all cookies have the
SameSite=Strict, HttpOnly, and Secure settings.With SolidStart, using
"use server" means I’m making an RPC call to that function. It's my understanding that RPC calls use HTTP POST to invoke specific server-side functions by name. Given this, I believe the same three points regarding CSRF risk reduction should apply to SolidStart as well.
Am I correct in my understanding? If not, what potential CSRF risks should I be aware of when using RPC calls in SolidStart?
Thank you!
Chris
