ktor-server-csrf/io.ktor.server.plugins.csrf/CSRF

CSRF

val CSRF: RouteScopedPlugin<CSRFConfig>

This plugin provides mitigations for cross-site request forgery (CSRF).

There are several ways to prevent CSRF attacks, each with different pros / cons depending on how your website is structured. The OWASP cheatsheet enumerates the mitigations provided here.

Example:

install(CSRF) {
    // tests Origin is an expected value
    allowOrigin("http://localhost:8080")

    // tests Origin matches Host header
    originMatchesHost()

    // custom header checks
    checkHeader("X-CSRF-Token")
}
Content copied to clipboard

See also

io.ktor.server.sessions.SameSite

for preventing cookies from being used when navigating from external sites