Back to docs
Security

CSRF Protection

Prevent cross-site request forgery with double-submit cookie patterns and SameSite enforcement.

Overview

CSRF attacks trick authenticated users into submitting unwanted requests. Meridian uses a stateless double-submit cookie strategy — no server-side session storage required.

Step 1 — Generate the token

On first visit, generate a cryptographically random token. Set it as a cookie with SameSite=Strict and HttpOnly. Embed the same token in a hidden form field or a custom request header.

Step 2 — Validate on mutation

For every POST, PUT, PATCH, or DELETE request, compare the cookie value with the header or body field. Reject if they mismatch or either is missing.

Step 3 — Rotate on login

Issue a fresh token after authentication to prevent login CSRF and session fixation. Invalidate the old token immediately.

Edge considerations

  • Use per-request tokens for sensitive operations like password changes.
  • Verify Origin and Referer headers as a secondary check.
  • Never accept tokens via GET query parameters.

Next: explore rate limiting to protect your API endpoints from abuse.