CSRF Protection for API Routes

Hey, is it enough that I use

getSession

getSession

and verify it's non-null inside my middleware, to protect my (trpc) API routes from CSRF exploitation?

From the better-auth docs I am not 100% sure, but I think that

getSession

getSession

checks the request's origin and protects against CSRF tampering, - and thus

getSession

getSession

should fail if an attacker tries to send a CSRF-exploiting request, right?

My code inside the api-routes middleware:

  const session = await (await getAuth()).api.getSession({
    headers: opts.headers,
  });

  const session = await (await getAuth()).api.getSession({
    headers: opts.headers,
  });

No replies yetBe the first to reply to this messageJoin