diff --git a/.changeset/itchy-toys-march.md b/.changeset/itchy-toys-march.md new file mode 100644 index 0000000000..972923ecfe --- /dev/null +++ b/.changeset/itchy-toys-march.md @@ -0,0 +1,17 @@ +--- +'astro': major +--- + +Updates the default value of `security.checkOrigin` to `true`, which enables Cross-Site Request Forgery (CSRF) protection by default for pages rendered on demand. + +If you had previously configured `security.checkOrigin: true`, you no longer need this set in your Astro config. This is now the default and it is safe to remove. + +To disable this behavior and opt out of automatically checking that the “origin” header matches the URL sent by each request, you must explicitly set `security.checkOrigin: false`: + +```diff +export default defineConfig({ ++ security: { ++ checkOrigin: false ++ } +}) +``` diff --git a/packages/astro/src/core/config/schema.ts b/packages/astro/src/core/config/schema.ts index abf1be876b..067790a660 100644 --- a/packages/astro/src/core/config/schema.ts +++ b/packages/astro/src/core/config/schema.ts @@ -81,7 +81,9 @@ export const ASTRO_CONFIG_DEFAULTS = { vite: {}, legacy: {}, redirects: {}, - security: {}, + security: { + checkOrigin: true + }, env: { schema: {}, validateSecrets: false, @@ -499,7 +501,7 @@ export const AstroConfigSchema = z.object({ ), security: z .object({ - checkOrigin: z.boolean().default(false), + checkOrigin: z.boolean().default(ASTRO_CONFIG_DEFAULTS.security.checkOrigin), }) .optional() .default(ASTRO_CONFIG_DEFAULTS.security), diff --git a/packages/astro/src/types/public/config.ts b/packages/astro/src/types/public/config.ts index 78f95869d7..7d1b38b871 100644 --- a/packages/astro/src/types/public/config.ts +++ b/packages/astro/src/types/public/config.ts @@ -467,11 +467,11 @@ export interface AstroUserConfig { * @name security.checkOrigin * @kind h4 * @type {boolean} - * @default 'false' + * @default 'true' * @version 4.9.0 * @description * - * When enabled, performs a check that the "origin" header, automatically passed by all modern browsers, matches the URL sent by each `Request`. This is used to provide Cross-Site Request Forgery (CSRF) protection. + * Performs a check that the "origin" header, automatically passed by all modern browsers, matches the URL sent by each `Request`. This is used to provide Cross-Site Request Forgery (CSRF) protection. * * The "origin" check is executed only for pages rendered on demand, and only for the requests `POST`, `PATCH`, `DELETE` and `PUT` with * one of the following `content-type` headers: `'application/x-www-form-urlencoded'`, `'multipart/form-data'`, `'text/plain'`. @@ -1961,7 +1961,7 @@ export interface AstroInlineOnlyConfig { * If this value is undefined or unset, Astro will search for an `astro.config.(js,mjs,ts)` file relative to * the `root` and load the config file if found. * - * The inline config passed in this object will take highest priority when merging with the loaded user config. + * The inline config passed in this object will take the highest priority when merging with the loaded user config. */ configFile?: string | false; /** diff --git a/packages/astro/test/fixtures/actions/astro.config.mjs b/packages/astro/test/fixtures/actions/astro.config.mjs index fc6477578b..9cbd6883a4 100644 --- a/packages/astro/test/fixtures/actions/astro.config.mjs +++ b/packages/astro/test/fixtures/actions/astro.config.mjs @@ -6,4 +6,7 @@ export default defineConfig({ experimental: { actions: true, }, + security: { + checkOrigin: false + } }); diff --git a/packages/astro/test/fixtures/csrf-check-origin/astro.config.mjs b/packages/astro/test/fixtures/csrf-check-origin/astro.config.mjs index da3e099125..77f158d57e 100644 --- a/packages/astro/test/fixtures/csrf-check-origin/astro.config.mjs +++ b/packages/astro/test/fixtures/csrf-check-origin/astro.config.mjs @@ -2,9 +2,6 @@ import { defineConfig } from 'astro/config'; // https://astro.build/config export default defineConfig({ - output: "server", - security: { - checkOrigin: true - } + output: "server" });