JonasDoesThings
JonasDoesThings
PostsComments
BABetter Auth
Created by JonasDoesThings on 3/3/2025 in #help
CSRF Protection for API Routes
Hey, is it enough that I use getSession and verify it's non-null inside my middleware, to protect my (trpc) API routes from CSRF exploitation? From the better-auth docs I am not 100% sure, but I think that getSession checks the request's origin and protects against CSRF tampering, - and thus getSession should fail if an attacker tries to send a CSRF-exploiting request, right? My code inside the api-routes middleware: 
  const session = await (await getAuth()).api.getSession({
    headers: opts.headers,
  });
  const session = await (await getAuth()).api.getSession({
    headers: opts.headers,
  });
1 replies