Strict GET Method Plugin

This plugin enhances security by ensuring only procedures explicitly marked to accept GET requests can be called using the HTTP GET method for RPC Protocol. This helps prevent certain types of Cross-Site Request Forgery (CSRF) attacks.

When to Use

This plugin is beneficial if your application stores sensitive data (like session or auth tokens) in Cookie storage using SameSite=Lax (the default) or SameSite=None.

INFO

RPCHandler enabled this plugin by default for HTTP Adapter. You may switch to Simple CSRF Protection if preferred, or disable this plugin entirely if it does not provide any benefit for your use case.

How it works

The plugin enforces a simple rule: only procedures explicitly configured with method: 'GET' can be invoked via a GET request. All other procedures will reject GET requests.

import { os } from '@orpc/server'

const ping = os
  .route({ method: 'GET' }) 
  .handler(() => 'pong')

Setup

import { StrictGetMethodPlugin } from '@orpc/server/plugins'

const handler = new RPCHandler(router, {
  plugins: [
    new StrictGetMethodPlugin()
  ],
})