CSRF protection in @netlify/identity 1.1.0

@netlify/identity 1.1.0 introduces a new verifyRequestOrigin helper to make it easier for developers and AI agents to add CSRF (Cross-Site Request Forgery) protection when running authentication on the server.

You can call login(), signup(), or logout() from a Netlify Function or Edge Function to handle authentication entirely on the server. The library reads and writes the nf_jwt and nf_refresh cookies through the Netlify runtime, so the user’s browser receives the session via the response.

import { login, verifyRequestOrigin } from '@netlify/identity'
import type { Context } from '@netlify/functions'

export default async (req: Request, context: Context) => {
  verifyRequestOrigin(req)
  const { email, password } = await req.json()
  await login(email, password)
  return new Response(null, { status: 302, headers: { Location: '/dashboard' } })
}

When login(), signup(), or logout() runs inside an HTTP endpoint that you expose, that endpoint needs Cross-Site Request Forgery (CSRF) protection. Without it, an attacker can trick a victim’s browser into logging into the attacker’s account, then collect anything the victim does inside that session.

Call verifyRequestOrigin(request) at the start of the handler. It compares the request’s Origin header against the request’s own origin and throws a 403 on mismatch. If your framework already checks Origin on state-changing requests by default, the call is redundant but harmless.

Refer to the @netlify/identity CSRF protection documentation for the full threat model and the allowedOrigins option.