The csrf() middleware can be used to safeguard against Cross-Site Request Forgery vulnerabilities. It verifies that state-changing requests (POST, PUT, DELETE, etc.) originate from your own site by checking the Sec-Fetch-Site and Origin headers. Requests from untrusted origins are rejected.
ts
import { App, csrf } from "fresh";
const app = new App();
app.use(csrf());
// Specify a single origin
app.use(csrf({ origin: "https://example.com" }));
// Specify multiple origins
app.use(
csrf({ origin: ["https://example.com", "https://trusted.example.com"] }),
);
// Use a function
app.use(
csrf({
origin: (origin) => /^https:\/\/(foo|bar)\.example\.com$/.test(origin),
}),
);