CSRF Protection
Cross-Site Request Forgery prevention using token-based protection, double submit cookie pattern, and SameSite cookie configuration.
What's Included#
- HMAC-signed CSRF token generation and validation
- Double submit cookie pattern (cookie + header matching)
- CSRF middleware for automatic enforcement on state-changing requests
- React context provider for client-side CSRF token access
- Protected form component with automatic token inclusion
- SameSite cookie configuration for additional protection
Usage#
Via CLI#
Loading code block...
Via AI Assistant#
Ask your AI assistant:
- "Use the CSRF protection pattern from Bootspring"
- "Apply the Bootspring CSRF pattern to my project"
Key Considerations#
- Generate CSRF secrets with strong randomness (e.g., openssl rand -base64 32)
- Validate CSRF tokens on all state-changing requests (POST, PUT, DELETE)
- Skip CSRF validation for webhook endpoints that use their own signature verification
- Combine CSRF tokens with SameSite cookie settings for defense in depth
- Rotate tokens periodically or per-request for enhanced security
Related Patterns#
- Input Validation - Validate all user input
- Security Headers - HTTP security headers
- Session Management - Secure session handling
- API Middleware - Request middleware patterns