Cursor security

CSRF Protection Missing in Cursor-Generated Forms and APIs

Your Cursor-generated application has forms and state-changing API endpoints (POST, PUT, DELETE) that lack CSRF (Cross-Site Request Forgery) protection. An attacker can craft a malicious webpage that tricks authenticated users into performing unintended actions on your app, such as changing their email, transferring funds, or deleting data.

Cursor often generates clean, functional forms and API routes but omits CSRF tokens entirely. The generated code accepts form submissions and API requests without verifying that they originated from your application. This is especially dangerous for apps that use cookie-based session authentication.

You might discover this during a security audit, penetration test, or when a security researcher demonstrates that they can create an external page that submits forms to your app on behalf of logged-in users.

Error Messages You Might See

ForbiddenError: invalid csrf token 403 Forbidden - CSRF token missing CSRF token mismatch ERR_BAD_CSRF_TOKEN Expected CSRF token not found
ForbiddenError: invalid csrf token403 Forbidden - CSRF token missingCSRF token mismatchERR_BAD_CSRF_TOKENExpected CSRF token not found

Common Causes

  • No CSRF middleware configured — Cursor generated Express/Next.js routes without adding csrf or csurf middleware to the application
  • Forms missing hidden token fields — HTML forms were generated without a CSRF token input field
  • SPA without CSRF headers — Single-page app makes fetch/axios calls without sending a CSRF token in request headers
  • Cookie SameSite not set — Session cookies lack the SameSite attribute, allowing cross-site requests to include credentials
  • API routes skip origin validation — Server-side endpoints don't check the Origin or Referer header to verify request source
  • Webhook exemptions too broad — CSRF exemption for webhook endpoints accidentally covers all POST routes

How to Fix It

  1. Install CSRF middleware — For Express: use the csrf-csrf or lusca package. For Next.js: implement CSRF token validation in middleware. For Django/Rails: ensure built-in CSRF is enabled
  2. Add CSRF tokens to all forms — Include a hidden input field with the CSRF token: <input type="hidden" name="_csrf" value="{{csrfToken}}">
  3. Send CSRF tokens in AJAX requests — For SPAs, read the CSRF token from a cookie or meta tag and include it in the X-CSRF-Token header on every state-changing request
  4. Set SameSite cookie attribute — Configure session cookies with SameSite=Lax or SameSite=Strict to prevent cross-site cookie sending
  5. Validate Origin header on the server — As a defense-in-depth measure, check that the Origin header matches your domain for all state-changing requests
  6. Only exempt specific webhook paths — If you have webhooks (e.g., /api/stripe/webhook), exempt only those specific paths from CSRF, not entire route groups

Real developers can help you.

Jacek Rozanski Jacek Rozanski Senior PHP/Symfony developer and DevOps engineer with 20+ years of professional experience, running opcode.pl (web development agency, est. 2004). Day job: I'm the sole backend developer at merketing company where I own and maintain 11 PHP/Symfony microservices on AWS (ECS Fargate, RDS, S3, CloudFront), handle the full CI/CD pipeline (Bitbucket Pipelines, Docker), and manage monitoring with Sentry and CloudWatch. These services handle high request volumes in production every month. What I bring to AI-built apps: - I audit and fix security issues (OWASP methodology), performance bottlenecks, and architectural problems in codebases generated by Cursor, Claude Code, Lovable, Bolt, and v0 - I refactor AI-generated prototypes into production-grade applications with proper error handling, testing, and clean architecture (SOLID, DDD, hexagonal architecture) - I set up the infrastructure AI tools don't touch: AWS hosting, CI/CD pipelines, automated deployments, database optimization, monitoring, and alerting - I integrate external services: payment providers, email systems, partner APIs, SSO/auth Tech stack: PHP 8.x, Symfony, React, Next.js, PostgreSQL, MySQL, Docker, AWS (ECS, RDS, S3, SQS/SNS, CloudFront), Terraform, Supabase. I also use AI tools daily (Claude Code, Cursor) in my own workflow, so I understand both the strengths and the gaps in AI-generated code. Based in Poland (CET timezone). Available for async work and calls during EU/US business hours. David Olverson David Olverson Solo dev shipping production apps with AI-assisted development. I specialize in rescuing broken Lovable/Bolt/Cursor builds and taking them to production. 10+ apps shipped including SaaS CRMs, gaming platforms, real estate tools, and Discord bots. Stack: Next.js 16, TypeScript, Tailwind CSS, FastAPI, PostgreSQL, Prisma. I use Claude Code with 50+ custom skills for rapid delivery. Average turnaround: 2-4 weeks from broken prototype to production. AUXLE AUXLE I am a Full Stack Developer experienced in building Websites, Web apps and Cross Platform Mobile Apps for Startups and Companies. Yovel Cohen Yovel Cohen I got a lot of experience in building Long-horizon AI Agents in production, Backend apps that scale to millions of users and frontend knowledge as well. Nam Tran Nam Tran 10 years as fullstack developer hanson1014 hanson1014 Full-stack developer experienced in fixing and deploying AI-generated apps from Lovable, Bolt.new, Cursor, and Replit. I specialize in debugging Supabase integration issues (auth flows, RLS policies, database connections), fixing broken deployments, resolving routing/blank screen problems, and cleaning up messy React/Vite codebases. I also build production apps with the Claude API and have shipped a Mac desktop dev tool (Nexterm from scratch. Based in Hong Kong, fast turnaround. Prakash Prajapati Prakash Prajapati I’m a Senior Python Developer specializing in building secure, scalable, and highly available systems. I work primarily with Python, Django, FastAPI, Docker, PostgreSQL, and modern AI tooling such as PydanticAI, focusing on clean architecture, strong design principles, and reliable DevOps practices. I enjoy solving complex engineering problems and designing systems that are maintainable, resilient, and built to scale. Matthew Butler Matthew Butler Systems Development Engineer @ Amazon Web Services Dor Yaloz Dor Yaloz SW engineer with 6+ years of experience, I worked with React/Node/Python did projects with React+Capacitor.js for ios Supabase expert Taufan Taufan I’m a product-focused engineer and tech leader who builds scalable systems and turns ideas into production-ready platforms. Over the past years, I’ve worked across startups and fast-moving teams, leading backend architecture, improving system reliability, and shipping products used by thousands of users. My strength is not just writing code — but connecting product vision, technical execution, and business impact.

You don't need to be technical. Just describe what's wrong and a verified developer will handle the rest.

Get Help

Frequently Asked Questions

Do I need CSRF protection if I use JWT authentication?

If your JWT is stored in localStorage and sent via Authorization header, CSRF protection is less critical since browsers don't automatically send localStorage data cross-site. However, if your JWT is stored in a cookie (common for SSR apps), you absolutely need CSRF protection.

Why do my API calls fail after adding CSRF protection?

Your frontend needs to include the CSRF token with every state-changing request. For SPAs, read the token from a cookie (e.g., XSRF-TOKEN) or a meta tag and add it as an X-CSRF-Token header in your HTTP client configuration.

Related Cursor Issues

HTML Escaping Removed, Creating XSS Vulnerability

security

Hardcoded API Keys and Secrets in Cursor-Generated Code

security

Cursor Installed Vulnerable or Outdated Dependencies

security

Can't fix it yourself?
Real developers can help.

You don't need to be technical. Just describe what's wrong and a verified developer will handle the rest.

Get Help