This wraps your Next.js API routes with CSRF protection using HMAC-SHA256 signed tokens that are session-bound and single-use. You fetch a token from /api/csrf before making POST/PUT/DELETE requests, include it in the X-CSRF-Token header, and withCsrf() handles verification automatically. The implementation is solid: HTTP-only cookies, SameSite=Strict, and tokens that expire after one use. Honestly, CSRF protection is one of those things that's easy to skip because nothing breaks without it, but the documentation here does a good job explaining why it matters with real examples like the 2008 router hijacking attacks. Works well layered with rate limiting for things like contact forms or account changes.
npx skills add https://github.com/harperaa/secure-claude-skills --skill csrf-protection