security hardening

src/lib/api.ts

@@ -11,6 +11,20 @@ const getBaseUrl = () => {
   return `http://localhost:${process.env.PORT ?? 3000}`;
 };
 
+/**
+ * Get CSRF token from cookies
+ */
+function getCSRFToken(): string | undefined {
+  if (typeof document === "undefined") return undefined;
+
+  const value = `; ${document.cookie}`;
+  const parts = value.split(`; csrf-token=`);
+  if (parts.length === 2) {
+    return parts.pop()?.split(";").shift();
+  }
+  return undefined;
+}
+
 export const api = createTRPCProxyClient<AppRouter>({
   links: [
     // Only enable logging in development mode
@@ -30,7 +44,11 @@ export const api = createTRPCProxyClient<AppRouter>({
       : []),
     // identifies what url will handle trpc requests
     httpBatchLink({
-      url: `${getBaseUrl()}/api/trpc`
+      url: `${getBaseUrl()}/api/trpc`,
+      headers: () => {
+        const csrfToken = getCSRFToken();
+        return csrfToken ? { "x-csrf-token": csrfToken } : {};
+      }
     })
   ]
 });