Simple CSRF Protection Plugin
This plugin adds basic Cross-Site Request Forgery (CSRF) protection to your oRPC application. It helps ensure that requests to your procedures originate from JavaScript code, not from other sources like standard HTML forms or direct browser navigation.
When to Use
This plugin is beneficial if your application stores sensitive data (like session or auth tokens) in Cookie storage using SameSite=Lax (the default) or SameSite=None.
Setup
This plugin requires configuration on both the server and client sides.
Server
ts
import { SimpleCsrfProtectionHandlerPlugin } from '@orpc/server/plugins'
const handler = new RPCHandler(router, {
strictGetMethodPluginEnabled: false, // Replace Strict Get Method Plugin
plugins: [
new SimpleCsrfProtectionHandlerPlugin()
],
})INFO
The handler can be any supported oRPC handler, such as RPCHandler, OpenAPIHandler, or custom implementations.
Client
ts
import { SimpleCsrfProtectionLinkPlugin } from '@orpc/client/plugins'
const link = new RPCLink({
url: 'https://api.example.com/rpc',
plugins: [
new SimpleCsrfProtectionLinkPlugin(),
],
})INFO
The link can be any supported oRPC link, such as RPCLink, OpenAPILink, or custom implementations.