App Logo
Concepts

CSRF

Understanding Cross-Site Request Forgery (CSRF) Protection in GoBetterAuth

Cross-Site Request Forgery (CSRF) is a security vulnerability that allows attackers to trick users into performing actions on a web application without their consent. This typically happens when a user is authenticated and visits a malicious site, which then makes unauthorized requests to the target application on the user's behalf.

GoBetterAuth provides built-in CSRF protection to help secure your authentication flows and sensitive endpoints. This guide explains how CSRF protection works in GoBetterAuth and how you can configure it for your application.

How CSRF Protection Works

GoBetterAuth uses a token-based approach to prevent CSRF attacks:

  • CSRF Token Generation: When a user initiates a session, GoBetterAuth generates a unique CSRF token and stores it in a cookie.
  • Token Validation: For every state-changing request (e.g., POST, PUT, DELETE), the client must include the CSRF token in a specific request header (e.g. X-GOBETTERAUTH-CSRF-TOKEN). GoBetterAuth validates the token before processing the request.
  • Expiration: CSRF tokens have a configurable expiration time to limit their validity window.

CSRF Configuration Options

You can customize CSRF protection in GoBetterAuth using the CSRFConfig struct. Here are the available options:

type CSRFConfig struct {
  Enabled    bool          // Enable or disable CSRF protection
  CookieName string        // Name of the cookie storing the CSRF token
  HeaderName string        // Name of the request header containing the CSRF token
  ExpiresIn  time.Duration // How long the CSRF token is valid
}

Example Configuration

Below is an example of how you might configure CSRF protection in your GoBetterAuth setup:

import (
  gobetterauthconfig "github.com/GoBetterAuth/go-better-auth/config"
  gobetterauthmodels "github.com/GoBetterAuth/go-better-auth/models"
)

config := gobetterauthconfig.NewConfig(
  // Other config options...
  gobetterauthconfig.WithCSRF(
    gobetterauthmodels.CSRFConfig{
      Enabled:    true, // default is set to false
      CookieName: "csrf_token", // default is set to "gobetterauth_csrf"
      HeaderName: "X-CSRF-Token", // default is set to "X-GOBETTERAUTH-CSRF-TOKEN"
      ExpiresIn:  15 * time.Minute, // default is set to 7 days
    },
  ),
)

How to Use CSRF Protection

  1. Enable CSRF in your config: Set Enabled: true in the CSRF config.
  2. Include CSRF token in requests: For any state-changing request, ensure your frontend reads the CSRF token from the cookie and sends it in the configured header (e.g. X-GOBETTERAUTH-CSRF-TOKEN).
  3. Validation: GoBetterAuth will automatically validate the token for certain POST endpoints. If the token is missing or invalid, the request will be rejected.

Best Practices

  • Always enable CSRF protection for any endpoint that modifies state (e.g., POST, PUT, DELETE).
  • Use secure, HTTP-only cookies for storing CSRF tokens when possible.

Summary

GoBetterAuth makes it easy to protect your application from CSRF attacks with simple configuration and automatic validation. By following the steps above and using the provided configuration options, you can ensure your authentication flows and sensitive endpoints are secure.

Plugins

Extend GoBetterAuth functionality with custom plugins.

Rate Limit

Rate Limiting in GoBetterAuth

On this page

How CSRF Protection WorksCSRF Configuration OptionsExample ConfigurationHow to Use CSRF ProtectionBest PracticesSummary