Skip to Content
DocumentationHive RouterConfigurationcsrf

csrf

The csrf configuration object enables and configures Cross-Site Request Forgery (CSRF) protection for your GraphQL endpoint. This is a critical security measure for any router exposed to web browsers.

For detailed explanations of the threat and implementation strategies, see the CSRF Prevention.

Options

enabled

  • Type: boolean
  • Default: false

Enables or disables the CSRF prevention middleware. It is strongly recommended to set this to true in production environments.

required_headers

  • Type: string[]
  • Default: []

A list of case-insensitive header names. If a request includes at least one of these headers, it will be considered safe from CSRF. Your client application must be configured to send one of these headers.

Example

router.config.yaml
csrf:
  enabled: true
  required_headers:
    - 'X-CSRF-Token'
    - 'apollographql-client-name'
Last updated on
corsheaders