(/deployments/overview): recommend adding authorizedParties to clerkM…

…iddleware (#1845) Co-authored-by: Alexis Aguilar <[email protected]>
clerk · Jan 10, 2025 · e3922e2 · e3922e2
1 parent aa67997
commit e3922e2
Show file tree

Hide file tree

Showing 3 changed files with 32 additions and 2 deletions.
diff --git a/docs/deployments/overview.mdx b/docs/deployments/overview.mdx
@@ -59,6 +59,32 @@ When you set a root domain for your production deployment, Clerk's authenticatio
 
 To share sessions and authentication across two different domains with the same Clerk application, see the [Authentication across different domains guide](/docs/advanced-usage/satellite-domains).
 
+
+## Configure `authorizedParties` for secure request authorization
+For enhanced security, it's highly recommended to explicitly set the `authorizedParties` option when authorizing requests. This option acts as an allowlist of origins to verify against, protecting your application from subdomain cookie leaking attacks. Without this setting, if an app on another subdomain of the same root domain as your Clerk app is compromised, that app could potentially generate valid sessions for your Clerk app.
+
+The `authorizedParties` value should include a list of domains allowed to make requests to your application. Omitting this setting can expose your application to [CSRF attacks](https://owasp.org/www-community/attacks/csrf).
+
+### Examples
+
+The following examples show how to set `authorizedParties` with different Clerk helpers.
+
+#### Set `authorizedParties` with `clerkMiddleware()`
+
+```typescript
+clerkMiddleware({
+  authorizedParties: ['https://example.com']
+})
+```
+
+#### Set `authorizedParties` with `authenticateRequest()`
+
+```typescript
+clerkClient.authenticateRequest(req, {
+  authorizedParties: ['https://example.com'],
+})
+```
+
 ## Deploy certificates
 
 The Clerk Dashboard home page will tell you what steps are still required to deploy your production instance. Once you have completed all of the necessary steps, a **Deploy certificates** button will appear. Selecting this button will deploy your production instance.

diff --git a/docs/references/sdk/backend-only.mdx b/docs/references/sdk/backend-only.mdx
@@ -80,7 +80,9 @@ You can manually create a wrapper library around the [BAPI OpenAPI](https://cler
     return async (context, next) => {
       const clerkClient = options.clerkClient || defaultClerkClient
 
-      const requestState = await clerkClient.authenticateRequest(context.req)
+      const requestState = await clerkClient.authenticateRequest(context.req, {
+        authorizedParties: ['https://example.com'],
+      })
 
       context.set('clerkAuth', requestState.toAuth())
       context.set('clerk', clerkClient)

diff --git a/docs/references/sdk/fullstack.mdx b/docs/references/sdk/fullstack.mdx
@@ -42,7 +42,9 @@ In addition to these instructions, you'll need to go through the following steps
     return async (context, next) => {
       const clerkClient = options.clerkClient || defaultClerkClient
 
-      const requestState = await clerkClient.authenticateRequest(context.req)
+      const requestState = await clerkClient.authenticateRequest(context.req, {
+        authorizedParties: ['https://example.com'],
+      })
 
       if (requestState.headers) {
         // This adds observability headers to the res