feat: change default value of checkOrigin (#11788)

* feat: change default value of `checkOrigin`

* feedback

* feedback

* change `checkOrigin`

.changeset/itchy-toys-march.md

@@ -0,0 +1,17 @@
+---
+'astro': major
+---
+
+Updates the default value of `security.checkOrigin` to `true`, which enables Cross-Site Request Forgery (CSRF) protection by default for pages rendered on demand.
+
+If you had previously configured `security.checkOrigin: true`, you no longer need this set in your Astro config. This is now the default and it is safe to remove.
+
+To disable this behavior and opt out of automatically checking that the “origin” header matches the URL sent by each request, you must explicitly set `security.checkOrigin: false`:
+
+```diff
+export default defineConfig({
++  security: {
++    checkOrigin: false
++  }
+})
+```

packages/astro/src/core/config/schema.ts

@@ -81,7 +81,9 @@ export const ASTRO_CONFIG_DEFAULTS = {
 	vite: {},
 	legacy: {},
 	redirects: {},
-	security: {},
+	security: {
+		checkOrigin: true
+	},
 	env: {
 		schema: {},
 		validateSecrets: false,
@@ -499,7 +501,7 @@ export const AstroConfigSchema = z.object({
 	),
 	security: z
 		.object({
-			checkOrigin: z.boolean().default(false),
+			checkOrigin: z.boolean().default(ASTRO_CONFIG_DEFAULTS.security.checkOrigin),
 		})
 		.optional()
 		.default(ASTRO_CONFIG_DEFAULTS.security),

packages/astro/src/types/public/config.ts

@@ -467,11 +467,11 @@ export interface AstroUserConfig {
 		 * @name security.checkOrigin
 		 * @kind h4
 		 * @type {boolean}
-		 * @default 'false'
+		 * @default 'true'
 		 * @version 4.9.0
 		 * @description
 		 *
-		 * When enabled, performs a check that the "origin" header, automatically passed by all modern browsers, matches the URL sent by each `Request`. This is used to provide Cross-Site Request Forgery (CSRF) protection.
+		 * Performs a check that the "origin" header, automatically passed by all modern browsers, matches the URL sent by each `Request`. This is used to provide Cross-Site Request Forgery (CSRF) protection.
 		 *
 		 * The "origin" check is executed only for pages rendered on demand, and only for the requests `POST`, `PATCH`, `DELETE` and `PUT` with
 		 * one of the following `content-type` headers: `'application/x-www-form-urlencoded'`, `'multipart/form-data'`, `'text/plain'`.
@@ -1961,7 +1961,7 @@ export interface AstroInlineOnlyConfig {
 	 * If this value is undefined or unset, Astro will search for an `astro.config.(js,mjs,ts)` file relative to
 	 * the `root` and load the config file if found.
 	 *
-	 * The inline config passed in this object will take highest priority when merging with the loaded user config.
+	 * The inline config passed in this object will take the highest priority when merging with the loaded user config.
 	 */
 	configFile?: string | false;
 	/**

packages/astro/test/fixtures/actions/astro.config.mjs

@@ -6,4 +6,7 @@ export default defineConfig({
 	experimental: {
 		actions: true,
 	},
+	security: {
+		checkOrigin: false
+	}
 });

packages/astro/test/fixtures/csrf-check-origin/astro.config.mjs

@@ -2,9 +2,6 @@ import { defineConfig } from 'astro/config';
 
 // https://astro.build/config
 export default defineConfig({
-	output: "server",
+	output: "server"
-	security: {
-		checkOrigin: true
-	}
 });