edge-csrf

• Purpose: Edge-CSRF is a CSRF protection library designed for JavaScript applications running on the edge runtime. It implements the signed double submit cookie pattern to secure applications against CSRF attacks.

• Key Features:

  • Runs on both Node and edge runtimes.
  • Supports multiple frameworks, including SvelteKit, Next.js, Express, and Node-HTTP.
  • Provides a low-level API for custom integrations.
  • Extracts tokens from HTTP headers or request bodies.
  • Handles various request body types (form-urlencoded, multipart/form-data, JSON).
  • Supports Server Actions for form and non-form submissions.
  • Customizable cookie and other security options.

• Target Audience: Developers building applications on edge runtimes (e.g., Vercel Edge Functions, Cloudflare Page Functions) who need CSRF protection with minimal dependencies.

• Framework Support:

  • SvelteKit: Includes a dedicated integration (@edge-csrf/sveltekit) for seamless CSRF protection.
  • Next.js, Express, and Node-HTTP also have tailored integrations.

• Security Note: The library currently uses the Naive Double-Submit Cookie Pattern, which is vulnerable to sub-domain attacks. Developers should assess their application's risk and consider alternatives if sub-domain attacks are a concern.

• Quickstart Highlights:

  • SvelteKit: Integrate via hooks.server.ts and access the CSRF token via locals.
  • Next.js: Middleware-based integration with token retrieval from headers.
  • Express/Node-HTTP: Middleware or request-handler integration for traditional server setups.

For more details, refer to the specific framework documentation:

• Next.js
• SvelteKit
• Core API <i