diff --git a/src/middleware/csrf/index.test.ts b/src/middleware/csrf/index.test.ts index 517d7a625..38537e5ba 100644 --- a/src/middleware/csrf/index.test.ts +++ b/src/middleware/csrf/index.test.ts @@ -206,6 +206,15 @@ describe('CSRF by Middleware', () => { expect(res.status).toBe(403) expect(simplePostHandler).not.toHaveBeenCalled() }) + + it('should be 403 if the content-type is not set', async () => { + const res = await app.request('/form', { + method: 'POST', + body: new Blob(['test'], {}), + }) + expect(res.status).toBe(403) + expect(simplePostHandler).not.toHaveBeenCalled() + }) }) describe('with origin option', () => { diff --git a/src/middleware/csrf/index.ts b/src/middleware/csrf/index.ts index ae622c3f7..44881b7b0 100644 --- a/src/middleware/csrf/index.ts +++ b/src/middleware/csrf/index.ts @@ -76,7 +76,7 @@ export const csrf = (options?: CSRFOptions): MiddlewareHandler => { return async function csrf(c, next) { if ( !isSafeMethodRe.test(c.req.method) && - isRequestedByFormElementRe.test(c.req.header('content-type') || '') && + isRequestedByFormElementRe.test(c.req.header('content-type') || 'text/plain') && !isAllowedOrigin(c.req.header('origin'), c) ) { const res = new Response('Forbidden', {