RPC "use server" and CSRF Attacks

I’m looking to better understand the CSRF risks associated with SolidStart, specifically regarding the use of RPC calls with the "use server" function. In Next.js, when I process a form with server actions, the risk of CSRF attacks is significantly reduced for a few reasons: 1. Server actions are limited to POST requests. 2. Modern browsers enforce Same-Site cookies by default, which helps mitigate CSRF vulnerabilities. 3. I can further enhance security by ensuring that all cookies have the SameSite=Strict, HttpOnly, and Secure settings. With SolidStart, using "use server" means I’m making an RPC call to that function. It's my understanding that RPC calls use HTTP POST to invoke specific server-side functions by name. Given this, I believe the same three points regarding CSRF risk reduction should apply to SolidStart as well. Am I correct in my understanding? If not, what potential CSRF risks should I be aware of when using RPC calls in SolidStart? Thank you! Chris
4 Replies
Atila
Atila2mo ago
I think you're right. Those are my assumptions as well, Chris. That being said, I still implement a CSRF protection middleware in my apps. SolidStart middleware makes it easier than Next.js does because of how Middlewares are triggered. For example, I often pass an array of security middlewares to my onRequest triggers. One for CSRF and another one for the remaining security headers...
import { createMiddleware } from "@solidjs/start/middleware";
import { csrfProtection } from "./csrf-protection";

export default createMiddleware({
onRequest: [csrfProtection],
});
import { createMiddleware } from "@solidjs/start/middleware";
import { csrfProtection } from "./csrf-protection";

export default createMiddleware({
onRequest: [csrfProtection],
});
I'm about to publish a video where I implement this CSRF protection (checking referrer and origin, not the token) to add Auth in my app - just finishing last editing quirks and I'll update this comment with the link ASAP - I'd love your feedback.
Madaxen86
Madaxen862mo ago
@Atila maybe you can consider publishing a npm package with a middleware which can be configured with env vars?
Atila
Atila2mo ago
busted!! 😅 https://www.npmjs.com/package/shieldwall it's not ready yet though
npm
shieldwall
Security for your Fullstack App 🛡️. Latest version: 0.1.3, last published: 24 days ago. Start using shieldwall in your project by running npm i shieldwall. There are no other projects in the npm registry using shieldwall.
Atila
Atila2mo ago
btw, just published: https://youtu.be/IXvLskm6pxg there's a timestamp for the CSRF Protection there
Atila
YouTube
Implementing Auth from scratch - no dependencies!
💡 "Auth" is a double-abbreviation, it's used to refer to both Authentication (verifying who someone is) and Authorization (determining what they're allowed to do or access). Today we will look at how to implement an Auth system, from managing sessions, registering and logging users in, and of course: security! We'll protect the data and make s...
Want results from more Discord servers?
Add your server