The official Nuxt Certification Program in partnership with VueSchool is coming.


Cross-Site Request Forgery (CSRF) Prevention for Nuxt


npm versionnpm downloadsLicenseNuxt

Nuxt Csurf

Cross-Site Request Forgery (CSRF) prevention.
Create a middleware for CSRF token creation and validation.

✅ Supports Node.js server & serverless environments
✅ Supports both universal and client-side rendering (ssr: true|false)
✅ Per-route configuration
✅ TypeScript


yarn add nuxt-csurf # yarn
npm i nuxt-csurf # npm


The only thing you need to do to use the module in the default configuration is to register the module in the modules array in nuxt.config.ts:

// nuxt.config.js
  modules: [
  csurf: { // optional
    https: false, // default true if in production
    cookieKey: '', // "__Host-csrf" if https is true otherwise just "csrf"
    cookie: { // CookieSerializeOptions from unjs/cookie-es
      path: '/',
      httpOnly: true,
      sameSite: 'strict'
    methodsToProtect: ['POST', 'PUT', 'PATCH'], // the request methods we want CSRF protection for
    encryptSecret: /** a 32 bits secret */, // only for non serverless runtime, random bytes by default
    encryptAlgorithm: 'aes-256-cbc', // by default 'aes-256-cbc' (node), 'AES-CBC' (serverless)
    addCsrfTokenToEventCtx: true // default false, to run useCsrfFetch on server set it to true


This composable provides a convenient wrapper around useFetch. It automatically adds the CSRF token in headers.

const { data, pending, error, refresh } = useCsrfFetch('/api/login', { query: param1: 'value1' })


This helper provides a convenient wrapper around $fetch. It automatically adds the CSRF token in headers.

const { $csrfFetch } = useNuxtApp()
const { data } = await $csrfFetch('/api/login', { method: 'POST', body:, headers:})


Use this composable if you need to access to the CSRF token value.

const { csrf } = useCsrf()
console.log(csrf) // something like: mo4+MrFaeXP7fhAie0o2qw==:tLUaqtHW6evx/coGQVAhtGAR+v6cxgFtrqmkOsuAMag8PHRnMwpbGGUO0TPJjL+4