you dont need csrf protection.

the only time you need to worry about csrf in nextjs is if you do something like this

<form action="/api/form" method="post">

with action being a string pointing to a URL

ok, thank you for your reply @joulev ! From my understanding, any router handler is a public endpoint. Although it is not used as a form action, I think any router handler need csrf protection if it has db mutation. Please correct me if my understanding is incorrect. Thank you

If your endpoint takes data in the form of json (e.g. res.json()), it is not vulnerable against csrf attacks. Csrf attacks target endpoints that are used as the action of a form in html, i.e. <form action="/api/vulnerable">

using usechat ai sdk from vercel , and it needs a api endpoint to work. In addition, the endpoint uses cookies (e.g., session, auth, or JWT cookies) for authentication, so I think that CSRF protection is mandatory. Attackers can exploit the browser’s automatic cookie inclusion in requests to forge malicious actions.

Also, the useChat SDK sends POST requests to the endpoint. Since POST is a state-changing method, it’s a prime target for CSRF attacks if cookies are involved.

the code example,

<form action="https://vulnerable.com/transfer" method="POST">
<input type="hidden" name="amount" value="1000">
<input type="hidden" name="to" value="attacker">
</form>
<script>document.forms[0].submit();</script>

the form could auto submit when the user visit the link @joulev

useChat uses POST but does not use the format of <form action=…>. useChat uses the format of fetch(…, { method: post }), which is not vulnerable to csrf as the form can not be autosubmitted by clicking anything on a different website