Interface Options

Whether to allow requests when the origin cannot be determined (missing Origin header, Referer header, Sec-Fetch-Site header, and request.referrer property) or cannot be parsed as a valid URL.

Warning: Enabling this option is high risk. Requests without a parseable origin will bypass origin validation entirely, which can allow attackers to perform cross-site requests in environments that don't send origin headers. Only use this when you're certain that clients without origin headers are within your trusted boundary, or pair it with an additional CSRF token mechanism.

Custom handler for requests that fail CSRF validation. Use this to log attempts, return custom error responses, or implement additional security measures.

Trusted origins allowed for cross-site requests.

When a request has Sec-Fetch-Site: cross-site, the middleware checks the request origin against this configuration:

• String: exact match (case-insensitive)
• RegExp: pattern match against the origin
• Array: matches if any element matches
• Function: custom validation logic with access to request and context

The origin is extracted from (in order): Origin header, Referer header, or request.referrer property.

If not specified, all cross-site requests are rejected.

HTTP methods that bypass CSRF validation. These methods are considered safe because they should not cause side effects. Must be uppercase (e.g., "GET", not "get").