Supertokens doesn't appear to be validating my CSRF header, and I don't think I've turned off CSRF protection anywhere

hey @vivalapanda by default, we do CSRF checks on non GET APIs. We do this by checking if there is a header preset in the request (

rid

header), which is auto added to the request header by our interceptor on the frontend. This is one way to do CSRF checks: https://cheatsheetseries.owasp.org/cheatsheets/Cross-Site_Request_Forgery_Prevention_Cheat_Sheet.html#use-of-custom-request-headers --------- The other way is what an anti-csrf token which is something you need to enable on the backend (see http://localhost:3000/docs/session/common-customizations/sessions/anti-csrf#manually-enable-anti-csrf). You will have to set the value of

antiCsrf

to

VIA_TOKEN

. However, this is not really needed usually since the custom header method should be good enough. Is there something else you were looking for?

I removed the custom header from a request in curl and the request still succeeded (tried this because a pentester indicated our anti csrf wasn't fully working)

is that a GET request?