feat: change default value of checkOrigin (#11788)

* feat: change default value of `checkOrigin` * feedback * feedback * change `checkOrigin`
2025-03-10 23:01:26 -05:00 · 2024-08-23 16:07:20 +01:00 · 2024-08-23 16:07:20 +01:00 · 7c0ccfc269
commit 7c0ccfc269
parent e9e2139bf7
5 changed files with 28 additions and 9 deletions
--- a/.changeset/itchy-toys-march.md
+++ b/.changeset/itchy-toys-march.md
@ -0,0 +1,17 @@
+---
+'astro': major
+---
+
+Updates the default value of `security.checkOrigin` to `true`, which enables Cross-Site Request Forgery (CSRF) protection by default for pages rendered on demand.
+
+If you had previously configured `security.checkOrigin: true`, you no longer need this set in your Astro config. This is now the default and it is safe to remove.
+
+To disable this behavior and opt out of automatically checking that the “origin” header matches the URL sent by each request, you must explicitly set `security.checkOrigin: false`:
+
+```diff
+export default defineConfig({
+  security: {
+    checkOrigin: false
+  }
+})
+```
--- a/packages/astro/src/core/config/schema.ts
+++ b/packages/astro/src/core/config/schema.ts
@ -81,7 +81,9 @@ export const ASTRO_CONFIG_DEFAULTS = {
 	vite: {},
 	legacy: {},
 	redirects: {},
-	security: {},
+	security: {
+		checkOrigin: true
+	},
 	env: {
 		schema: {},
 		validateSecrets: false,
@ -499,7 +501,7 @@ export const AstroConfigSchema = z.object({
 	),
 	security: z
 		.object({
-			checkOrigin: z.boolean().default(false),
+			checkOrigin: z.boolean().default(ASTRO_CONFIG_DEFAULTS.security.checkOrigin),
 		})
 		.optional()
 		.default(ASTRO_CONFIG_DEFAULTS.security),
--- a/packages/astro/src/types/public/config.ts
+++ b/packages/astro/src/types/public/config.ts
@ -467,11 +467,11 @@ export interface AstroUserConfig {
 		 * @name security.checkOrigin
 		 * @kind h4
 		 * @type {boolean}
-		 * @default 'false'
+		 * @default 'true'
 		 * @version 4.9.0
 		 * @description
 		 *
-		 * When enabled, performs a check that the "origin" header, automatically passed by all modern browsers, matches the URL sent by each `Request`. This is used to provide Cross-Site Request Forgery (CSRF) protection.
+		 * Performs a check that the "origin" header, automatically passed by all modern browsers, matches the URL sent by each `Request`. This is used to provide Cross-Site Request Forgery (CSRF) protection.
 		 *
 		 * The "origin" check is executed only for pages rendered on demand, and only for the requests `POST`, `PATCH`, `DELETE` and `PUT` with
 		 * one of the following `content-type` headers: `'application/x-www-form-urlencoded'`, `'multipart/form-data'`, `'text/plain'`.
@ -1961,7 +1961,7 @@ export interface AstroInlineOnlyConfig {
 	 * If this value is undefined or unset, Astro will search for an `astro.config.(js,mjs,ts)` file relative to
 	 * the `root` and load the config file if found.
 	 *
-	 * The inline config passed in this object will take highest priority when merging with the loaded user config.
+	 * The inline config passed in this object will take the highest priority when merging with the loaded user config.
 	 */
 	configFile?: string | false;
 	/**
--- a/packages/astro/test/fixtures/actions/astro.config.mjs
+++ b/packages/astro/test/fixtures/actions/astro.config.mjs
@ -6,4 +6,7 @@ export default defineConfig({
 	experimental: {
 		actions: true,
 	},
+	security: {
+		checkOrigin: false
+	}
 });
--- a/packages/astro/test/fixtures/csrf-check-origin/astro.config.mjs
+++ b/packages/astro/test/fixtures/csrf-check-origin/astro.config.mjs
@ -2,9 +2,6 @@ import { defineConfig } from 'astro/config';

 // https://astro.build/config
 export default defineConfig({
-	output: "server",
-	security: {
-		checkOrigin: true
-	}
+	output: "server"
 });