Cross-Site Request Forgery (CSRF) is a security vulnerability where an attacker tricks users into submitting unintended requests. This guide will show you how to implement CSRF protection in your SvelteKit app using a server hook.
By default, SvelteKit has built-in CSRF protection that checks the request’s origin. Since we are implementing our own CSRF middleware, we must disable SvelteKit’s built-in CSRF origin check.
Open your svelte.config.ts
(or svelte.config.js
) and update it like this: