{"id":21238692,"url":"https://github.com/shahradelahi/next-csrf","last_synced_at":"2025-04-09T15:07:16.844Z","repository":{"id":279459981,"uuid":"821500152","full_name":"shahradelahi/next-csrf","owner":"shahradelahi","description":"[WIP] CSRF Protection for NextJs","archived":false,"fork":false,"pushed_at":"2025-04-08T10:41:08.000Z","size":39,"stargazers_count":82,"open_issues_count":12,"forks_count":0,"subscribers_count":1,"default_branch":"main","last_synced_at":"2025-04-09T15:07:10.849Z","etag":null,"topics":["csrf","csrf-protection","next","nextjs"],"latest_commit_sha":null,"homepage":"","language":"TypeScript","has_issues":true,"has_wiki":null,"has_pages":null,"mirror_url":null,"source_name":null,"license":"mit","status":null,"scm":"git","pull_requests_enabled":true,"icon_url":"https://github.com/shahradelahi.png","metadata":{"files":{"readme":"README.md","changelog":null,"contributing":null,"funding":null,"license":"LICENSE","code_of_conduct":null,"threat_model":null,"audit":null,"citation":null,"codeowners":null,"security":null,"support":null,"governance":null,"roadmap":null,"authors":null,"dei":null,"publiccode":null,"codemeta":null}},"created_at":"2024-06-28T17:22:27.000Z","updated_at":"2025-04-09T12:55:00.000Z","dependencies_parsed_at":"2025-04-01T06:26:05.886Z","dependency_job_id":"42840b7f-526c-4339-bc2a-551d64c4b5be","html_url":"https://github.com/shahradelahi/next-csrf","commit_stats":null,"previous_names":["shahradelahi/next-csrf"],"tags_count":0,"template":false,"template_full_name":null,"repository_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/repositories/shahradelahi%2Fnext-csrf","tags_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/repositories/shahradelahi%2Fnext-csrf/tags","releases_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/repositories/shahradelahi%2Fnext-csrf/releases","manifests_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/repositories/shahradelahi%2Fnext-csrf/manifests","owner_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/owners/shahradelahi","download_url":"https://codeload.github.com/shahradelahi/next-csrf/tar.gz/refs/heads/main","host":{"name":"GitHub","url":"https://github.com","kind":"github","repositories_count":248055284,"owners_count":21040157,"icon_url":"https://github.com/github.png","version":null,"created_at":"2022-05-30T11:31:42.601Z","updated_at":"2022-07-04T15:15:14.044Z","host_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub","repositories_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/repositories","repository_names_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/repository_names","owners_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/owners"}},"keywords":["csrf","csrf-protection","next","nextjs"],"created_at":"2024-11-21T00:37:42.125Z","updated_at":"2025-04-09T15:07:16.816Z","avatar_url":"https://github.com/shahradelahi.png","language":"TypeScript","funding_links":[],"categories":[],"sub_categories":[],"readme":"# next-csrf\n\nA robust CSRF protection library for Next.js. Easily configure, generate, and validate CSRF tokens with flexible options and built-in cookie management. Ensure secure request handling by integrating seamless middleware functions for your Next.js applications.\n\n## Installation\n\n```bash\nnpm i @se-oss/next-csrf\n```\n\n## Integration\n\nFirst create a really random string and assign it to the `NEXT_CSRF_SECRET` environment variable.\n\n```text\n// .env.local\n##\n# You can use the following to generate a random string\n# openssl rand -base64 32\n##\nNEXT_CSRF_SECRET=\"\"\n```\n\nThen update your [`Middleware`](https://nextjs.org/docs/app/building-your-application/routing/middleware) with the following:\n\n```typescript\nimport { configureCSRF, withCSRFProtection } from '@se-oss/next-csrf';\nimport { NextResponse, type NextRequest } from 'next/server';\n\nconfigureCSRF({\n  matcher: [\n    /**\n     * (default) Protect Everything every route expect:\n     * - _next/static (static files)\n     * - _next/image (image optimization files)\n     * - favicon.ico (favicon file)\n     * - images - .svg, .png, .jpg, .jpeg, .gif, .webp\n     * - request methods - GET, HEAD, OPTIONS\n     */\n    {\n      pattern:\n        /^\\/((?!_next\\/static|_next\\/image|favicon.ico|.*\\.(?:svg|png|jpg|jpeg|gif|webp)$).*)/,\n      ignoredMethods: ['GET', 'HEAD', 'OPTIONS']\n    },\n    // Strictly protect API routes.\n    {\n      pattern: /^\\/api\\/.*/,\n      ignoredMethods: false\n    }\n  ],\n  csrfErrorMessage: 'CSRF Verification Failed.',\n  cookieOptions: {\n    domain:\n      process.env.NODE_ENV === 'production' ? '.example.com' : 'localhost',\n    maxAge: 60 * 60 * 24 // 1 day\n  }\n});\n\nexport default withCSRFProtection(async (req: NextRequest) =\u003e {\n  return NextResponse.next();\n});\n```\n\nNow you are all set! You can test it with following `curl` commands:\n\n```bash\n$ curl --request GET 'http://localhost:3000/api/protected'\n\n# Response\n# CSRF Verification Failed.\n\n$ curl --request GET 'http://localhost:3000/api/protected' \\\n  --cookie \"next-csrf=FIehA1zS-LPbO2NcJksFJCUkbn89fUWS33qarn_B98PU2olbG-j0\"\n\n# Response\n# {\"message\":\"Hello, Next.js!\"}\n```\n\n## Contributing\n\nWant to contribute? Awesome! To show your support is to star the project, or to raise issues on [GitHub](https://github.com/shahradelahi/next-csrf).\n\nThanks again for your support, it is much appreciated! 🙏\n\n## License\n\n[MIT](/LICENSE) © [Shahrad Elahi](https://github.com/shahradelahi)\n","project_url":"https://awesome.ecosyste.ms/api/v1/projects/github.com%2Fshahradelahi%2Fnext-csrf","html_url":"https://awesome.ecosyste.ms/projects/github.com%2Fshahradelahi%2Fnext-csrf","lists_url":"https://awesome.ecosyste.ms/api/v1/projects/github.com%2Fshahradelahi%2Fnext-csrf/lists"}