#RPC "use server" and CSRF Attacks

I’m looking to better understand the CSRF risks associated with SolidStart, specifically regarding the use of RPC calls with the "use server" function.

In Next.js, when I process a form with server actions, the risk of CSRF attacks is significantly reduced for a few reasons:

1. Server actions are limited to POST requests.
2. Modern browsers enforce Same-Site cookies by default, which helps mitigate CSRF vulnerabilities.
3. I can further enhance security by ensuring that all cookies have the SameSite=Strict, HttpOnly, and Secure settings.

With SolidStart, using "use server" means I’m making an RPC call to that function. It's my understanding that RPC calls use HTTP POST to invoke specific server-side functions by name.

Given this, I believe the same three points regarding CSRF risk reduction should apply to SolidStart as well.

Am I correct in my understanding? If not, what potential CSRF risks should I be aware of when using RPC calls in SolidStart?

Thank you!

Chris

I think you're right. Those are my assumptions as well, Chris.

That being said, I still implement a CSRF protection middleware in my apps. SolidStart middleware makes it easier than Next.js does because of how Middlewares are triggered.

For example, I often pass an array of security middlewares to my onRequest triggers. One for CSRF and another one for the remaining security headers...

import { createMiddleware } from "@solidjs/start/middleware";
import { csrfProtection } from "./csrf-protection";

export default createMiddleware({
  onRequest: [csrfProtection],
});

I'm about to publish a video where I implement this CSRF protection (checking referrer and origin, not the token) to add Auth in my app - just finishing last editing quirks and I'll update this comment with the link ASAP - I'd love your feedback.

@spice light maybe you can consider publishing a npm package with a middleware which can be configured with env vars?

busted!! 😅

https://www.npmjs.com/package/shieldwall

it's not ready yet though