Strict GET Method Plugin
This plugin enhances security by ensuring only procedures explicitly marked to accept GET requests can be called using the HTTP GET method for RPC Protocol. This helps prevent certain types of Cross-Site Request Forgery (CSRF) attacks.
INFO
RPCHandler enabled this plugin by default.
When to Use
This plugin is beneficial if your application stores sensitive data (like session or auth tokens) in Cookie storage using SameSite=Lax (the default) or SameSite=None.
How it works
The plugin enforces a simple rule: only procedures explicitly configured with method: 'GET' can be invoked via a GET request. All other procedures will reject GET requests.
ts
import { os } from '@orpc/server'
const ping = os
.route({ method: 'GET' })
.handler(() => 'pong')Setup
ts
import { StrictGetMethodPlugin } from '@orpc/server/plugins'
const handler = new RPCHandler(router, {
plugins: [
new StrictGetMethodPlugin()
],
})