Interface Options

The cookie object to use for storing the CSRF token. Should be configured with httpOnly, secure (in production), and sameSite: "lax" or "strict".

The name of the form field containing the CSRF token.

Custom handler for requests with invalid CSRF tokens. Use this to log attempts, return custom error responses, or implement additional security measures.

Trusted origins that bypass CSRF token validation.

When a request comes from a trusted origin, the middleware skips token validation and allows the request through. This is useful for allowing cross-site form submissions from specific trusted domains.

The origin is extracted from (in order): Origin header, Referer header, or request.referrer property.

• String: exact match (case-insensitive)
• RegExp: pattern match against the origin
• Array: matches if any element matches
• Function: custom validation logic with access to request and context

HTTP methods that bypass CSRF validation. These methods are considered safe because they should not cause side effects.

A secret to sign the CSRF token for extra security. When provided, tokens are signed and validated against tampering.