Ory is the largest open source community in the world for cloud software application security. We maintain advanced open source security software solving authentication, authorization, access control, application network security, and delegation. Ory implements a variety of industry and best-practice standards including OAuth 2.0 / OAuth 2.1, OpenID Connect, Zero Trust Networking, Google Zanzibar Policy Framework, FIDO2 U2F, WebAuthn, TOTP, and more.

Ory Community

Do I need to use CSRF protection on my application URLs that are authenticated by Ory Kratos?

Hello <@U060PJ18H8X>

If your application uses Ory Kratos for authentication and you are integrating with its self-service flows (login, registration, settings, etc.), Ory Kratos already provides CSRF protection for these flows. This means that when you use Ory Kratos' APIs and follow its flow patterns, CSRF tokens and anti-CSRF cookies are automatically managed and validated by Kratos. You must ensure that your application correctly forwards the CSRF token and cookies when interacting with Kratos endpoints, especially when submitting forms or making AJAX requests. For example, when mapping UI nodes, you need to include the CSRF token in the request body, and the browser should send the CSRF cookie automatically *<https://www.ory.sh/docs/kratos/bring-your-own-ui/custom-ui-basic-integration#debug|Bring-your-own-ui: Integration basics>*.
However, for your own application URLs and endpoints that are not handled by Ory Kratos (i.e., custom business logic or APIs outside of Kratos' self-service flows), you are responsible for implementing CSRF protection as needed. Ory Kratos' CSRF protection only applies to its own flows and endpoints, not to arbitrary routes in your application.