CSRF Guard Plugin
Use CSRFGuardHandlerPlugin to protect against Cross-Site Request Forgery (CSRF) attacks by rejecting requests with unsafe fetch modes.
How It Works
The plugin inspects the Sec-Fetch-Mode header and blocks requests with a mode of navigate, no-cors, or websocket, which may be triggered by cross-site links, forms, or other passive browser features.
Setup
ts
import { OpenAPIHandler } from '@orpc/openapi/fetch'
import { CSRFGuardHandlerPlugin } from '@orpc/server/plugins'
const handler = new OpenAPIHandler(router, {
plugins: [
new CSRFGuardHandlerPlugin(),
],
})INFO
HTTP-based RPCHandler implementations enable this plugin by default. Disable it with csrfGuardHandlerPlugin.enabled.
ts
const handler = new RPCHandler(router, {
csrfGuardHandlerPlugin: {
enabled: false,
},
})INFO
The handler can be any supported oRPC handler, such as RPCHandler, OpenAPIHandler, or a custom one.
Learn More
For implementation details, see the source code.