Better Auth•2mo ago

CSRF Protection for API Routes

Hey, is it enough that I use getSession and verify it's non-null inside my middleware, to protect my (trpc) API routes from CSRF exploitation? From the better-auth docs I am not 100% sure, but I think that getSession checks the request's origin and protects against CSRF tampering, - and thus getSession should fail if an attacker tries to send a CSRF-exploiting request, right? My code inside the api-routes middleware:

  const session = await (await getAuth()).api.getSession({
    headers: opts.headers,
  });

  const session = await (await getAuth()).api.getSession({
    headers: opts.headers,
  });

0 Replies

No replies yetBe the first to reply to this messageJoin

Gaming

Programming

CSRF Protection for API Routes

Did you find this page helpful?