CSRF protector php, a standalone php library for csrf mitigation in web applications. Easy to integrate in any php web app.
Add a composer.json
file to your project directory
{
"require": {
"owasp/csrf-protector-php": "dev-master"
}
}
For composer installations: Copy the config.sample.php file into your root folder at config/csrf_config.php For non-composer installations: Copy the libs/csrf/config.sample.php file into libs/csrc/config.php Edit config accordingly. See Detailed Information link below.
<?php
include_once __DIR__ .'/vendor/owasp/csrf-protector-php/libs/csrf/csrfprotector.php';
//Initialise CSRFGuard library
csrfProtector::init();
<script type="text/javascript" src="path-to-jquery"></script>
<script type="text/javascript" src="path-to-js-from-this-repo/csrfprotector.js"></script>
simply include the library and call the init()
function at index.php
on your app!
-
CSRFP_TOKEN
: name of the csrf nonce, used for cookie or posting as argument. default:csrfp_token
(if left blank) -
logDirectory
: location of the directory at which log files will be saved, either relative to the defaultconfig.php
file location or an absolute path. This is required for file based logging (default), Not needed, in case you override logging function to implement your logging logic. (View Overriding logging function)
Default value:../log/
-
failedAuthAction
: Action code (integer) for action to be taken in case of failed validation. Has two different values for botGET
andPOST
. Different action codes are specified as follows, (
Default:0
for bothGET
&POST
):0
Send 403, Forbidden Header1
Strip the POST/GET query and forward the request! unset($_POST)2
Redirect to custom error page mentioned inerrorRedirectionPage
3
Show custom error message to user, mentioned incustomErrorMessage
4
Send 500, Internal Server Error header
-
errorRedirectionPage
: Absolute url of the file to which user should be redirected.
Default: null -
customErrorMessage
: Error Message to be shown to user. Only this text will be shown!
Default: null -
jsUrl
: Absolute url of the js file orFALSE
if the js file will be added to the page manually. (See Setting up for more information) -
tokenLength
: length of csrfp token, Default10
-
cookieConfig
: Array of parameter values for set cookie method. supports three properties:path
,domain
,secure
andexpire
. They have same meaning as respective parameters ofsetcookie
method: [learn more - php.net] -
disabledJavascriptMessage
: messaged to be shown if js is disabled (string) -
verifyGetForPost
: regex rules for those urls for which csrfp validation should be enabled forPOST
requests also. -
verifyGetFor
: regex rules for those urls for which csrfp validation should be enabled forGET
requests also. -
referers
: Array of referes which csrf validation is disabled -
agentURIs
: Array of pairagent => requestURI
which csrf validation is disabled
OS: windows
Cases | IE (Win) | Opera | Chrome | Mozilla | Safari |
---|---|---|---|---|---|
XHR wrapping | |||||
HTML dom-0 wrapping | |||||
HTML dom-2 wrapping | |||||
URL rewriting |
OS: macos
Cases | Chrome |
---|---|
XHR wrapping | |
HTML dom-0 wrapping | |
HTML dom-2 wrapping | |
URL rewriting |
Note: Missing tick means, this has not yet been implemented or tested