@davaux/csrf

CSRF protection middleware for Davaux. Generates a per-session token and rejects mutating requests (POST, PUT, PATCH, DELETE) that don't carry it.

Installation

npm install @davaux/csrf

Requires @davaux/session.

Setup

Register sessionMiddleware before csrfMiddleware:

// davaux.config.ts
import { defineConfig } from 'davaux/config'
import { sessionMiddleware } from '@davaux/session'
import { csrfMiddleware } from '@davaux/csrf'

export default defineConfig({
  middleware: [
    sessionMiddleware({ secret: process.env.SESSION_SECRET! }),
    csrfMiddleware(),
  ],
})

Embedding the token in forms

ctx.state.csrf.token is available in every handler and layout:

// src/routes/contact.page.tsx
export default definePage((ctx) => (
  <form method="post">
    <input type="hidden" name="_csrf" value={ctx.state.csrf.token} />
    <button type="submit">Send</button>
  </form>
))

For API clients, send the token in the x-csrf-token header instead of a form field.

Options

| Option | Type | Default | Description | |---|---|---|---| | field | string | '_csrf' | Form field name to check | | header | string | 'x-csrf-token' | Request header name (case-insensitive) | | sessionKey | string | '_csrf' | Session key used to store the token |

Documentation

davaux.codeberg.page/docs/csrf