We need clarification about CSRF security when using Clerk authentication with NextJs
The clerk docs seem to state that using clerk grants CSRF protection as long as we're not mutating data on navigation.
https://clerk.com/docs/security/csrf-protection
Do I need to take additional steps to prevent CSRF attacks? You do not, but it is still possible to accidentally make your application vulnerable to XSS attacks.
Because Clerk uses the Lax setting, it is critical to remember that navigation alone should never trigger a mutation in your backend. Otherwise, the user can be tricked into clicking a link that takes an action they did not intend.
- Does that apply to all form posts in our app?
- Does it matter if we post JSON rather than form data?
- Should we use CSRF tokens anyway?