github-starred/better-auth
2
0
Fork 0
mirror of https://github.com/better-auth/better-auth.git synced 2026-05-30 19:06:47 -05:00
Code Issues 2.5k Packages Projects Releases 112 Wiki Activity
Files
b86fd9321c014d09a8eab94de9b60034c740e186
better-auth/SECURITY.md

16 lines
1.2 KiB
Markdown
Raw Blame History

This file contains ambiguous Unicode characters
This file contains Unicode characters that might be confused with other characters. If you think that this is intentional, you can safely ignore this warning. Use the Escape button to reveal them.
# Security Policy
## CSRF Protection
Better Auth protects against CSRF by enforcing strict origin checks and setting cookies with the `SameSite` attribute. As a best practice, any GET request should be designed to avoid modifying resources. If a GET request does alter data, such as in an OAuth callback, additional safeguards (e.g., state parameter verification) must be implemented. Any request containing cookies but missing an `Origin` or `Referer` header is rejected. Requests with these headers that dont match `trustedOrigins` are also discarded.
## Open Redirect Protection
Any endpoint added to a Better Auth instance, whether from a plugin or the core, should only use `callbackURL`, `currentURL`, or `redirectTo` for redirecting users post-action. These values are validated against `trustedOrigins` for security. Additionally, no endpoint handling GET requests should modify resources unless it has its own protection mechanisms in place.
## Reporting a Vulnerability
If you discover a security vulnerability within Better Auth, please send an e-mail to security@better-auth.com.
All reports will be promptly addressed, and you'll be credited accordingly.
Reference in New Issue View Git Blame Copy Permalink