zaid.marzguioui/myeasycms-v2
1
0
Fork 0
Code Issues Pull Requests Actions Packages Projects Releases Wiki Activity
Files
1f52c673542f905ea1eccb0ba84cccaae9dbfb26
myeasycms-v2/docs/data-fetching/csrf-protection.mdoc
Giancarlo Buomprisco 7ebff31475 Next.js Supabase V3 (#463) 
Version 3 of the kit:
- Radix UI replaced with Base UI (using the Shadcn UI patterns)
- next-intl replaces react-i18next
- enhanceAction deprecated; usage moved to next-safe-action
- main layout now wrapped with [locale] path segment
- Teams only mode
- Layout updates
- Zod v4
- Next.js 16.2
- Typescript 6
- All other dependencies updated
- Removed deprecated Edge CSRF
- Dynamic Github Action runner
2026-03-24 13:40:38 +08:00

32 lines
1.5 KiB
Plaintext
Raw Blame History

---
status: "published"
title: "CSRF Protection"
description: "How CSRF protection works in Makerkit."
label: "CSRF Protection"
order: 6
---
## CSRF Protection
CSRF protection is handled automatically by Next.js when using Server Actions. You do not need to manage CSRF tokens manually.
### Server Actions
Server Actions are inherently protected against CSRF attacks by Next.js. The framework validates the origin of all Server Action requests, ensuring they come from the same origin as your application.
No additional configuration or token passing is needed.
### API Route Handlers
API Route Handlers under `/api/*` do not have CSRF protection, as they are typically used for webhooks, external services, and third-party integrations. If you need to protect an API route from unauthorized access, use authentication checks via `enhanceRouteHandler` with `auth: true`.
### Recommendations
- **Prefer Server Actions** for all mutations from client components. They provide built-in CSRF protection and type safety.
- **Use Route Handlers** only for webhooks, streaming responses, or integrations that require standard HTTP endpoints.
---
## V2 Legacy
In v2, Makerkit used `@edge-csrf/nextjs` middleware to protect non-API routes against CSRF attacks. A `useCsrfToken` hook from `@kit/shared/hooks` was used to retrieve the CSRF token and pass it as an `X-CSRF-Token` header on fetch requests. Both have been removed in v3 since Server Actions handle CSRF protection natively.
Reference in New Issue View Git Blame Copy Permalink