@nathapp/nestjs-csrf
v3.3.0
Published
Stateless double-submit-cookie CSRF protection for NestJS (Express + Fastify), zero runtime dependencies
Downloads
64
Readme
@nathapp/nestjs-csrf
Stateless double-submit-cookie CSRF protection for NestJS, working on both the
Express and Fastify adapters, with zero runtime dependencies (Node crypto only).
Design
- Double-submit cookie (stateless) — no server-side session store. The guard
auto-issues an HMAC-signed token as a cookie on safe (GET/HEAD/OPTIONS) responses;
the client echoes it in the
x-csrf-tokenheader on mutating requests, and the guard verifies the two match. - Guard-only —
DefaultCsrfGuardperforms both auto-issue and verification;CsrfTokenServiceis the pure stdlib-HMAC mint/verify core. - Coexists with bearer auth — routes carrying
Authorization: Bearer …are skipped by default (a browser cannot silently attach that header cross-site). - Disable-able — globally via the module
enabledflag, and per-route via the@SkipCsrf()decorator.
Assumed peer setup
The host app must enable cookie parsing so req.cookies is populated:
- Express:
app.use(cookieParser())(cookie-parser) - Fastify:
app.register(require('@fastify/cookie'))(@fastify/cookie)
These are not auto-wired. If cookie parsing is not enabled, mutating requests fail closed (403).
See docs/superpowers/specs/2026-07-08-nestjs-csrf-design.md.
