/Knowledge/sources/honojs__hono/llms-full/csrf-protection-usage--64483f0f5ffb.md

CSRF Protection: Usage - hono-docs

CSRF Protection: Usage Source evidence: /Sources/honojs hono/provenance.md Canonical citation: https://hono.dev/llms full.txt usage Summary ts const app = ne...

CSRF Protection: Usage

Source evidence: /Sources/honojs__hono/provenance.md Canonical citation: https://hono.dev/llms-full.txt#usage

Summary


## Content
```ts
const app = new Hono()

// Default: both origin and sec-fetch-site validation
app.use(csrf())

// Allow specific origins
app.use(csrf({ origin: 'https://myapp.example.com' }))

// Allow multiple origins
app.use(
  csrf({
    origin: [
      'https://myapp.example.com',
      'https://development.myapp.example.com',
    ],
  })
)

// Allow specific sec-fetch-site values
app.use(csrf({ secFetchSite: 'same-origin' }))
app.use(csrf({ secFetchSite: ['same-origin', 'none'] }))

// Dynamic origin validation
// It is strongly recommended that the protocol be verified to ensure a match to `$`.
// You should *never* do a forward match.
app.use(
  '*',
  csrf({
    origin: (origin) =>
      /https:\/\/(\w+\.)?myapp\.example\.com$/.test(origin),
  })
)

// Dynamic sec-fetch-site validation
app.use(
  csrf({
    secFetchSite: (secFetchSite, c) => {
      // Always allow same-origin
      if (secFetchSite === 'same-origin') return true
      // Allow cross-site for webhook endpoints
      if (
        secFetchSite === 'cross-site' &&
        c.req.path.startsWith('/webhook/')
      ) {
        return true
      }
      return false
    },
  })
)

Metadata

{
  "chunk_index": 0,
  "citation": "https://hono.dev/llms-full.txt#usage",
  "coverage_role": "overview",
  "qualified_title": "Hono / llms-full / CSRF Protection > Usage",
  "retrieved_at": "2026-07-02T05:51:01Z",
  "section_index": 142,
  "source_id": "/honojs/hono",
  "source_type": "llms_full",
  "target_label": "llms-full",
  "title": "CSRF Protection: Usage",
  "upstream_url": "https://hono.dev/llms-full.txt",
  "version": "2026"
}
Kinic Wiki
Loading knowledge node
Details

Identity

database
db_23dhmsxlhukv
database_id
db_23dhmsxlhukv
path
/Knowledge/sources/honojs__hono/llms-full/csrf-protection-usage--64483f0f5ffb.md
kind
directory
role
markdown_note
children
0

Metadata

created_at
virtual
updated_at
virtual
etag
virtual
metadata_json
{}

Lint Hints

No lightweight warnings.

Outgoing Links

No outgoing links indexed.

Incoming Links

Select a file node to inspect backlinks.

Raw Source

No raw source path inferred.