NestJS Logo

CSRF Protection

Cross-site request forgery (CSRF or XSRF) is a type of attack where unauthorized commands are sent from a trusted user to a web application. To help prevent this, you can use the csrf-csrf package.

Use with Express (default)#

Start by installing the required package:


$ npm i csrf-csrf
Warning As noted in the csrf-csrf documentation, this middleware requires session middleware or cookie-parser to be initialized beforehand. Please refer to the documentation for further details.

Once the installation is complete, register the csrf-csrf middleware as global middleware.


import { doubleCsrf } from 'csrf-csrf';
// ...
// somewhere in your initialization file
const {
  invalidCsrfTokenError, // This is provided purely for convenience if you plan on creating your own middleware.
  generateToken, // Use this in your routes to generate and provide a CSRF hash, along with a token cookie and token.
  validateRequest, // Also a convenience if you plan on making your own middleware.
  doubleCsrfProtection, // This is the default CSRF protection middleware.
} = doubleCsrf(doubleCsrfOptions);
app.use(doubleCsrfProtection);

Use with Fastify#

Start by installing the required package:


$ npm i --save @fastify/csrf-protection

Once the installation is complete, register the @fastify/csrf-protection plugin, as follows:


import fastifyCsrf from '@fastify/csrf-protection';
// ...
// somewhere in your initialization file after registering some storage plugin
await app.register(fastifyCsrf);
Warning As explained in the @fastify/csrf-protection docs here, this plugin requires a storage plugin to be initialized first. Please, see that documentation for further instructions.

Support us

Nest is an MIT-licensed open source project. It can grow thanks to the support by these awesome people. If you'd like to join them, please read more here.

Principal Sponsors

Trilon LogoMarblism LogoMojam LogoAmplication Logo

Sponsors / Partners

Become a sponsor