0
Fork 0
mirror of https://github.com/withastro/astro.git synced 2024-12-16 21:46:22 -05:00
astro/.changeset/chatty-experts-smell.md
Emanuele Stoppa 2d4c8faa56
feat: make CSRF protection stable (#11021)
* feat: make CSRF protection stable

* revert change

* Apply suggestions from code review

Co-authored-by: Sarah Rainsberger <sarah@rainsberger.ca>

* Update packages/astro/src/@types/astro.ts

Co-authored-by: Sarah Rainsberger <sarah@rainsberger.ca>

* Update packages/astro/src/@types/astro.ts

Co-authored-by: Sarah Rainsberger <sarah@rainsberger.ca>

* beef up changeset

* Update .changeset/chatty-experts-smell.md

Co-authored-by: Sarah Rainsberger <sarah@rainsberger.ca>

* Update .changeset/chatty-experts-smell.md

Co-authored-by: Sarah Rainsberger <sarah@rainsberger.ca>

* move section

* Apply suggestions from code review

Co-authored-by: Sarah Rainsberger <sarah@rainsberger.ca>

---------

Co-authored-by: Sarah Rainsberger <sarah@rainsberger.ca>
2024-05-22 12:10:30 +01:00

30 lines
1.3 KiB
Markdown

---
"astro": minor
---
The CSRF protection feature that was introduced behind a flag in [v4.6.0](https://github.com/withastro/astro/blob/main/packages/astro/CHANGELOG.md#460) is no longer experimental and is available for general use.
To enable the stable version, add the new top-level `security` option in `astro.config.mjs`. If you were previously using the experimental version of this feature, also delete the experimental flag:
```diff
export default defineConfig({
- experimental: {
- security: {
- csrfProtection: {
- origin: true
- }
- }
- },
+ security: {
+ checkOrigin: true
+ }
})
```
Enabling this setting performs a check that the `"origin"` header, automatically passed by all modern browsers, matches the URL sent by each Request.
This check is executed only for pages rendered on demand, and only for the requests `POST`, `PATCH`, `DELETE` and `PUT` with one of the following `"content-type"` headers: `'application/x-www-form-urlencoded'`, `'multipart/form-data'`, `'text/plain'`.
If the `"origin"` header doesn't match the pathname of the request, Astro will return a 403 status code and won't render the page.
For more information, see the [`security` configuration docs](https://docs.astro.build/en/reference/configuration-reference/#security).