According to wikipedia
Cross-site request forgery, also known as one-click attack or session riding and abbreviated as CSRF (sometimes pronounced sea-surf) or XSRF, is a type of malicious exploit of a website where unauthorized commands are transmitted from a user that the web application trusts.
Just a bare minimal implementation using csrf token with nextjs
Module i used
- https://github.com/pillarjs/csrf
- https://github.com/maticzav/nookies
- https://github.com/hoangvvo/next-connect
There are some rules in this case
- Csrf secret stored in
_csrfcookie. - Csrf token stored in
x-xsrf-tokencookie, latter to be used for XHR/API call.- In this case i will use axios for calling api since the module has built action for carries
x-xsrf-tokenautomatically
- In this case i will use axios for calling api since the module has built action for carries
- Restriction only applied on
/api/*path - Csrf token also available in
req.tokenif you decide to put the token intopagePropsby usinggetServerSideProps