Security News
cURL Project and Go Security Teams Reject CVSS as Broken
cURL and Go security teams are publicly rejecting CVSS as flawed for assessing vulnerabilities and are calling for more accurate, context-aware approaches.
@edge-csrf/nextjs
Advanced tools
This is the documentation for the Edge-CSRF's Next.js integration. The integration works with Next.js 13 and Next.js 14.
First, add the integration library as a dependency to your app:
npm install @edge-csrf/nextjs
# or
pnpm add @edge-csrf/nextjs
# or
yarn add @edge-csrf/nextjs
Next, create a middleware file (middleware.ts
) for your project and add the Edge-CSRF middleware:
// middleware.ts
import { createMiddleware } from '@edge-csrf/nextjs';
// initalize csrf protection middleware
const csrfMiddleware = createMiddleware({
cookie: {
secure: process.env.NODE_ENV === 'production',
},
});
export const middleware = csrfMiddleware;
Now, all HTTP submission requests (e.g. POST, PUT, DELETE, PATCH) will be rejected if they do not include a valid CSRF token. To add the CSRF token to your forms, you can fetch it from the X-CSRF-Token
HTTP response header server-side or client-side. For example:
// app/page.tsx
import { headers } from 'next/headers';
export default function Page() {
const csrfToken = headers().get('X-CSRF-Token') || 'missing';
return (
<form action="/api/form-handler" method="post">
<input type="hidden" value={csrfToken}>
<input type="text" name="my-input">
<input type="submit">
</form>
);
}
// app/form-handler/route.ts
import { NextResponse } from 'next/server';
export async function POST() {
return NextResponse.json({ status: 'success' });
}
// pages/form.ts
import type { NextPage, GetServerSideProps } from 'next';
import React from 'react';
type Props = {
csrfToken: string;
};
export const getServerSideProps: GetServerSideProps = async ({ res }) => {
const csrfToken = res.getHeader('x-csrf-token') || 'missing';
return { props: { csrfToken } };
}
const FormPage: NextPage<Props> = ({ csrfToken }) => {
return (
<form action="/api/form-handler" method="post">
<input type="hidden" value={csrfToken}>
<input type="text" name="my-input">
<input type="submit">
</form>
);
}
export default FormPage;
// pages/api/form-handler.ts
import type { NextApiRequest, NextApiResponse } from 'next';
type Data = {
status: string
};
export default function handler(req: NextApiRequest, res: NextApiResponse<Data>) {
// this code won't execute unless CSRF token passes validation
res.status(200).json({ status: 'success' });
}
Here are some examples in this repository:
Version | Router | Implementation |
---|---|---|
Next.js 13 | app router | HTML form |
Next.js 13 | app router | JavaScript (dynamic) |
Next.js 13 | app router | JavaScript (static) |
Next.js 13 | pages router | HTML form |
Next.js 14 | app router | HTML form |
Next.js 14 | app router | JavaScript (dynamic) |
Next.js 14 | app router | JavaScript (static) |
Next.js 14 | app router | Sentry |
Next.js 14 | app router | Server action (form) |
Next.js 14 | app router | Server action (non-form) |
Next.js 14 | pages router | HTML form |
If you want lower-level control over the response or which routes CSRF protection will be applied to you can use the createCsrfProtect()
method to create a function that you can use inside your own custom middleware:
// middleware.ts
import { CsrfError, createCsrfProtect } from '@edge-csrf/nextjs';
import { NextResponse } from 'next/server';
import type { NextRequest } from 'next/server';
// initalize csrf protection method
const csrfProtect = createCsrfProtect({
cookie: {
secure: process.env.NODE_ENV === 'production',
},
});
// Next.js middleware function
export const middleware = async (request: NextRequest) => {
const response = NextResponse.next();
try {
await csrfProtect(request, response);
} catch (err) {
if (err instanceof CsrfError) return new NextResponse('invalid csrf token', { status: 403 });
throw err;
}
return response;
};
// default config
{
cookie: {
name: '_csrfSecret',
path: '/',
maxAge: undefined,
domain: '',
secure: true,
httpOnly: true,
sameSite: 'strict'
},
excludePathPrefixes: ['/_next/'],
ignoreMethods: ['GET', 'HEAD', 'OPTIONS'],
saltByteLength: 8,
secretByteLength: 18,
token: {
responseHeader: 'X-CSRF-Token',
value: undefined
}
}
The following are named exports in the the @edge-csrf/nextjs
module:
NextCsrfProtectFunction - A function that implements CSRF protection for Next.js requests
* @param {NextRequest} request - The Next.js request instance
* @param {NextResponse} response - The Next.js response instance
* @returns {Promise<void>} - The function completed successfully
* @throws {CsrfError} - The function encountered a CSRF error
CsrfError - A class that inherits from Error and represents CSRF errors
createMiddleware([, options]) - Create a new instance of Next.js middleware
* @param {object} options - The configuration options
* @returns {Middleware} - The middleware
createCsrfProtect([, options]) - Create a lower-level function that can be used inside Next.js middleware
to implement CSRF protection for requests
* @param {object} options - The configuration options
* @returns {NextCsrfProtectFunction} - The CSRF protection function
FAQs
Edge-CSRF Next.js integration library
The npm package @edge-csrf/nextjs receives a total of 9,162 weekly downloads. As such, @edge-csrf/nextjs popularity was classified as popular.
We found that @edge-csrf/nextjs demonstrated a healthy version release cadence and project activity because the last version was released less than a year ago. It has 0 open source maintainers collaborating on the project.
Did you know?
Socket for GitHub automatically highlights issues in each pull request and monitors the health of all your open source dependencies. Discover the contents of your packages and block harmful activity before you install or update your dependencies.
Security News
cURL and Go security teams are publicly rejecting CVSS as flawed for assessing vulnerabilities and are calling for more accurate, context-aware approaches.
Security News
Bun 1.2 enhances its JavaScript runtime with 90% Node.js compatibility, built-in S3 and Postgres support, HTML Imports, and faster, cloud-first performance.
Security News
Biden's executive order pushes for AI-driven cybersecurity, software supply chain transparency, and stronger protections for federal and open source systems.