ThinkJS provides a middleware to handle CSRF, but it's off by default.
Modify src/common/config/hook.js like this:
export default {
logic_before: ['prepend', 'csrf']
}The default configure of CSRF is as following, you can modify them in src/common/config/csrf.js:
export default {
session_name: '__CSRF__', // Token value saved in session
form_name: '__CSRF__', // CSRF key name, we can get value by this key and check the value
errno: 400, //error number
errmsg: 'token error' // error message
};