Also known as: Cross-Site Request Forgery, XSRF, session riding
Definition
CSRF (Cross-Site Request Forgery) is an attack where a malicious site causes the victim's browser to send a request to a target site using the victim's existing session cookies. In Next.js App Router, Server Actions defend against CSRF by checking the Origin header against the Host on every POST.
The user is logged into yourapp.com with a session cookie. They visit attacker.com, which contains JavaScript that submits a form to yourapp.com/api/delete-account. The browser attaches the session cookie to the request automatically. Without defense, the request succeeds and the account is deleted.
Server Actions in Next.js 14+ enforce an Origin-vs-Host check on every POST request. If the Origin header is missing or differs from the request's host, the action rejects with a 403. Combined with SameSite=Lax cookies (the modern default), CSRF against Server Actions is structurally blocked.
Route Handlers do not get the Origin check automatically. If you implement a custom POST endpoint, add the check yourself or use a token-based CSRF defense. The CVE-2026-27978 advisory describes a null-Origin bypass that affected older middleware configurations; the fix is to reject empty Origin headers explicitly.