/Knowledge/sources/honojs__hono/llms-full/csrf-protection-usage--64483f0f5ffb.md
CSRF Protection: Usage - hono-docs
CSRF Protection: Usage Source evidence: /Sources/honojs hono/provenance.md Canonical citation: https://hono.dev/llms full.txt usage Summary ts const app = ne...
CSRF Protection: Usage
Source evidence: /Sources/honojs__hono/provenance.md Canonical citation: https://hono.dev/llms-full.txt#usage
Summary
## Content
```ts
const app = new Hono()
// Default: both origin and sec-fetch-site validation
app.use(csrf())
// Allow specific origins
app.use(csrf({ origin: 'https://myapp.example.com' }))
// Allow multiple origins
app.use(
csrf({
origin: [
'https://myapp.example.com',
'https://development.myapp.example.com',
],
})
)
// Allow specific sec-fetch-site values
app.use(csrf({ secFetchSite: 'same-origin' }))
app.use(csrf({ secFetchSite: ['same-origin', 'none'] }))
// Dynamic origin validation
// It is strongly recommended that the protocol be verified to ensure a match to `$`.
// You should *never* do a forward match.
app.use(
'*',
csrf({
origin: (origin) =>
/https:\/\/(\w+\.)?myapp\.example\.com$/.test(origin),
})
)
// Dynamic sec-fetch-site validation
app.use(
csrf({
secFetchSite: (secFetchSite, c) => {
// Always allow same-origin
if (secFetchSite === 'same-origin') return true
// Allow cross-site for webhook endpoints
if (
secFetchSite === 'cross-site' &&
c.req.path.startsWith('/webhook/')
) {
return true
}
return false
},
})
)
Metadata
{
"chunk_index": 0,
"citation": "https://hono.dev/llms-full.txt#usage",
"coverage_role": "overview",
"qualified_title": "Hono / llms-full / CSRF Protection > Usage",
"retrieved_at": "2026-07-02T05:51:01Z",
"section_index": 142,
"source_id": "/honojs/hono",
"source_type": "llms_full",
"target_label": "llms-full",
"title": "CSRF Protection: Usage",
"upstream_url": "https://hono.dev/llms-full.txt",
"version": "2026"
}