Skip to content

fix: CSRF vulnerability in form submissions #21

Open
Open
fix: CSRF vulnerability in form submissions#21
Labels
advancedComplex challenge (3-6 hours)securitySecurity vulnerability
@anxkhn

Description

@anxkhn
anxkhn
opened on Feb 15, 2026

Problem Description

Form submissions lack CSRF protection, making the application vulnerable to cross-site request forgery attacks.

Context

Server Actions in Next.js can be vulnerable to CSRF if not properly protected.

Files to Investigate

  • src/app/submit/page.tsx - Event form
  • src/actions/events.ts - Server actions
  • src/components/event-form.tsx - Form component

Steps to Reproduce

  1. Create a malicious page that submits to the event creation endpoint
  2. User clicks the page while logged in
  3. Event is created without user consent

Expected Behavior

Form submissions should require a CSRF token or other protection mechanism.

Acceptance Criteria

  • Implement CSRF token validation
  • Or use Next.js built-in CSRF protection
  • All forms protected
  • Add security test

Suggested Approach

Research Next.js Server Actions CSRF protection and implement recommended approach.

Difficulty: Hard

Estimated time: 3-6 hours
Prerequisites: Security concepts, Next.js internals
Learning outcomes: Web security, CSRF prevention

Metadata

Metadata

Assignees

No one assigned

    Labels

    advancedComplex challenge (3-6 hours)securitySecurity vulnerability

    Projects

    No projects

    Milestone

    No milestone

    Relationships

    None yet

    Development

    No branches or pull requests

    Issue actions