/Knowledge/sources/honojs__hono/llms-full/csrf-protection-options-secfetchsite-string-string-function--3797e8bc57fb.md
CSRF Protection: Options > secFetchSite: string | string[] | Function...
CSRF Protection: Options secFetchSite: string | string[] | Function Source evidence: /Sources/honojs hono/provenance.md Canonical citation: https://hono.dev/...
CSRF Protection: Options > secFetchSite: string | string[] | Function
Source evidence: /Sources/honojs__hono/provenance.md Canonical citation: https://hono.dev/llms-full.txt#secfetchsite-string-string-function
Summary
Specify allowed Sec-Fetch-Site header values for CSRF protection using Fetch Metadata. - string: Single allowed value (e.g., 'same-origin') - string[]: Array of allowed values (e.g...
Content
Specify allowed Sec-Fetch-Site header values for CSRF protection using Fetch Metadata.
string: Single allowed value (e.g.,'same-origin')string[]: Array of allowed values (e.g.,['same-origin', 'none'])Function: Custom handler(secFetchSite: string, context: Context) => booleanfor flexible validation
Default: Only allows 'same-origin'
Standard Sec-Fetch-Site values:
same-origin: Request from same originsame-site: Request from same site (different subdomain)cross-site: Request from different sitenone: Request not from a web page (e.g., browser address bar, bookmark)
The function handler receives the request's Sec-Fetch-Site header value and the request context, enabling dynamic validation based on request properties.
Metadata
{
"chunk_index": 0,
"citation": "https://hono.dev/llms-full.txt#secfetchsite-string-string-function",
"coverage_role": "overview",
"qualified_title": "Hono / llms-full / CSRF Protection > Options > secFetchSite: `string` | `string[]` | `Function`",
"retrieved_at": "2026-07-02T05:51:01Z",
"section_index": 145,
"source_id": "/honojs/hono",
"source_type": "llms_full",
"target_label": "llms-full",
"title": "CSRF Protection: Options > secFetchSite: string | string[] | Function",
"upstream_url": "https://hono.dev/llms-full.txt",
"version": "2026"
}