CSRF Protection Agent Skill
CSRF protection — SameSite cookies, double-submit pattern, token validation.
The Skill
Full content, every format. Copy it, download it, or install with one command.
---
description: CSRF protection — SameSite cookies, double-submit pattern, token validation.
homepage: https://yepapi.com/skills/csrf-protection
metadata:
tags: [security, csrf, cookies, forms]
---
# CSRF Protection
## Rules
- Set \`SameSite=Lax\` on all cookies — this blocks most CSRF attacks by default
- Use \`SameSite=Strict\` for highly sensitive actions (account deletion, password change)
- Implement double-submit cookie pattern for custom APIs: CSRF token in cookie + request header
- Include CSRF tokens in all HTML forms that perform state-changing actions
- Verify \`Origin\` and \`Referer\` headers on state-changing requests as defense-in-depth
- Next.js Server Actions and SvelteKit form actions handle CSRF automatically — use them
- For SPAs: send CSRF token in a custom header (\`X-CSRF-Token\`) — browsers block cross-origin custom headers by default
\`\`\`ts
// Double-submit cookie pattern
import crypto from "crypto";
function generateCsrfToken(res) {
const token = crypto.randomBytes(32).toString("hex");
res.cookie("csrf_token", token, { httpOnly: false, sameSite: "strict", secure: true });
return token;
}
function verifyCsrf(req) {
const cookieToken = req.cookies.csrf_token;
const headerToken = req.headers["x-csrf-token"];
if (!cookieToken || cookieToken !== headerToken) {
throw new Error("CSRF validation failed");
}
}
\`\`\`
## Avoid
- Relying only on cookie-based auth without CSRF protection — any site can submit forms to your endpoints
- CSRF tokens that never rotate — one leaked token compromises all future requests
- GET requests that change state — CSRF protection only works on POST/PUT/DELETE because GET requests bypass SameSite=Lax
- Disabling CSRF protection because "it's just an API" — if cookies are involved, CSRF appliesInstall
Why Use the CSRF Protection Skill?
Without this skill, your AI guesses at csrf protection patterns. It might hallucinate deprecated APIs, use outdated conventions, or miss best practices entirely. With it, your AI follows a proven ruleset — every suggestion aligns with current standards.
Drop this skill into your project and your AI instantly knows the rules. Better code suggestions, fewer errors, faster shipping.
Try These Prompts
These prompts work better with the CSRF Protection skill installed. Your AI knows the context and writes code that fits.
"Implement CSRF protection using the double-submit cookie pattern for my API"
"Add SameSite cookie configuration and Origin header verification to my forms"
"Create a CSRF middleware that validates tokens on all state-changing requests"
Works Great With
CSRF Protection skill — FAQ
It provides rules for SameSite cookie configuration, double-submit cookie patterns, and CSRF token validation for forms and APIs. Your AI writes CSRF-safe code without you needing to think about cross-site request forgery.
Run `npx skills add YepAPI/skills --skill csrf-protection` in your project root. This copies the skill file into your repo where your AI coding tool can read it automatically.
Yes. Next.js Server Actions and SvelteKit form actions include built-in CSRF protection. The skill covers these frameworks plus custom API implementations using the double-submit cookie pattern.