CSRF with Next.js server directive w/ Backend Api
For CSRF to work (with Next.js server directive), so that the client requests get forwarded from the Next.js server to our BetterAuth backend API, do we need to manually forward all of the headers to the backend API?
3 Replies
The csrf checks are only based on origin. Better Auth doesn't set or check custom headers. If an origin is trusted, it's allowed.
Got it, new to BAuth, trying to understand.
Shouldn't we also use IP address check in the verification table as well?Because a verification request should come from the same IP when completing the verification.
Also, I think the IP address header
x-forwarded-for can contain multiple values.It currnelty doesn't check for ip. Specially cause not everyone enables ip address tracking.