---
title: "CSRF protection in @netlify/identity 1.1.0"
description: "@netlify/identity 1.1.0 adds a verifyRequestOrigin helper that protects server-side login, signup, and logout endpoints from cross-site request forgery."
source: "https://www.netlify.com/changelog/2026-05-02-netlify-identity-verify-request-origin/"
last_updated: "2026-07-17T04:31:39.000Z"
---
`@netlify/identity` 1.1.0 introduces a new `verifyRequestOrigin` helper to make it easier for developers and AI agents to add CSRF (Cross-Site Request Forgery) protection when running authentication on the server.

You can call `login()`, `signup()`, or `logout()` from a Netlify Function or Edge Function to handle authentication entirely on the server. The library reads and writes the `nf_jwt` and `nf_refresh` cookies through the Netlify runtime, so the user’s browser receives the session via the response.

netlify/functions/login.ts

```
import { login, verifyRequestOrigin } from '@netlify/identity'import type { Context } from '@netlify/functions'
export default async (req: Request, context: Context) => {  verifyRequestOrigin(req)  const { email, password } = await req.json()  await login(email, password)  return new Response(null, { status: 302, headers: { Location: '/dashboard' } })}
```

When `login()`, `signup()`, or `logout()` runs inside an HTTP endpoint that you expose, that endpoint needs Cross-Site Request Forgery (CSRF) protection. Without it, an attacker can trick a victim’s browser into logging into the attacker’s account, then collect anything the victim does inside that session.

Call `verifyRequestOrigin(request)` at the start of the handler. It compares the request’s `Origin` header against the request’s own origin and throws a 403 on mismatch. If your framework already checks `Origin` on state-changing requests by default, the call is redundant but harmless.

Refer to the [`@netlify/identity` CSRF protection documentation](https://www.npmjs.com/package/@netlify/identity#security-csrf-protection) for the full threat model and the `allowedOrigins` option.