/Knowledge/sources/honojs__hono/llms-full/csrf-protection-options-origin-string-string-function--d116f8460cd7.md
CSRF Protection: Options > origin: string | string[] | Function - hon...
CSRF Protection: Options origin: string | string[] | Function Source evidence: /Sources/honojs hono/provenance.md Canonical citation: https://hono.dev/llms f...
CSRF Protection: Options > origin: string | string[] | Function
Source evidence: /Sources/honojs__hono/provenance.md Canonical citation: https://hono.dev/llms-full.txt#origin-string-string-function
Summary
Specify allowed origins for CSRF protection. - string: Single allowed origin (e.g., 'https://example.com') - string[]: Array of allowed origins - Function: Custom handler `(origin: string, context: Context) => boolean...
Content
Specify allowed origins for CSRF protection.
string: Single allowed origin (e.g.,'https://example.com')string[]: Array of allowed originsFunction: Custom handler(origin: string, context: Context) => booleanfor flexible origin validation and bypass logic
Default: Only same origin as the request URL
The function handler receives the request's Origin header value and the request context, allowing for dynamic validation based on request properties like path, headers, or other context data.
Metadata
{
"chunk_index": 0,
"citation": "https://hono.dev/llms-full.txt#origin-string-string-function",
"coverage_role": "overview",
"qualified_title": "Hono / llms-full / CSRF Protection > Options > origin: `string` | `string[]` | `Function`",
"retrieved_at": "2026-07-02T05:51:01Z",
"section_index": 144,
"source_id": "/honojs/hono",
"source_type": "llms_full",
"target_label": "llms-full",
"title": "CSRF Protection: Options > origin: string | string[] | Function",
"upstream_url": "https://hono.dev/llms-full.txt",
"version": "2026"
}