CSRF Protection

[FredKSchott]

Body

https://kit.svelte.dev/docs/configuration#csrf

SvelteKit and Qwik have this idea of CSRF protection built in. From the SvelteKit docs:

Whether to check the incoming origin header for POST form submissions and verify that it matches the server's origin.

To allow people to make POST form submissions to your app from other origins, you will need to disable this option. Be careful!

This makes a lot of sense, and probably is fairly easy to add. It would be a breaking change though, so would need to be off-by-default until 3.0

[pilcrowonpaper]

Was about to post a new proposal on this! Would be a good default. safeParseURL() is just new URL() but returns null for invalid urls

// should probably check for OPTIONS, HEAD, and TRACE
if (context.request.method !== "GET") {
  const originHeader = request.headers.get("Origin");
  const hostHeader = request.headers.get("Header");
  if (!originHeader || !hostHeader) {
    return new Response(null, {
     status: 403
    });
  }
  const originHostname = safeParseURL(originHeader).hostname;
  const hostHostname = safeParseURL(hostHeader).hostname;
  if (!originHostname || !hostHostname || originHostname !== hostHostname) {
    return new Response(null, {
     status: 403
    });  
  }
}

[natemoo-re]

Svelte Kit's implementation is here (thanks @bluwy) https://github.com/sveltejs/kit/blob/2a302b26d6f8c9d46c59852c3f8f25e387e30876/packages/kit/src/runtime/server/respond.js#L61-L80

Here's a comprehensive Cross-Site Request Forgery Prevention Cheat Sheet for reference.

[ematipico]

Closing as accepted