schnittstabil / psr7-csrf-middleware
Stateless PSR-7 CSRF (Cross-Site Request Forgery) protection middleware - simple Slim Framework 3 integration.
Installs: 109 572
Dependents: 1
Suggesters: 0
Security: 0
Stars: 6
Watchers: 3
Forks: 2
Open Issues: 1
Requires
- php: >=5.6.0
- psr/http-message: ^1.0
- schnittstabil/csrf-tokenservice: ^2.0
- schnittstabil/get: ^2.0
- schnittstabil/psr7-middleware-stack: ^3.0
Requires (Dev)
- codeclimate/php-test-reporter: ^0.3.0
- dflydev/fig-cookies: ^1.0
- fabpot/php-cs-fixer: ^1.10
- halleck45/phpmetrics: ^1.8
- pdepend/pdepend: dev-fix-namespaced-consts-and-functions as 2.0
- phpmd/phpmd: ^2.3
- satooshi/php-coveralls: ^1.0.1
- schnittstabil/sugared-phpunit: ^0.2.0
- slim/slim: 3.3.0
- squizlabs/php_codesniffer: ^2.5
- vladahejda/phpunit-assert-exception: ^1.0
- zendframework/zend-diactoros: ^1.3
Suggests
- dflydev/fig-cookies: To protect via Cookies, e.g. MiddlewareBuilder::buildCookieToHeaderMiddleware().
README
Stateless PSR-7 CSRF (Cross-Site Request Forgery) protection middleware 🔏
Install
$ composer require schnittstabil/psr7-csrf-middleware
Usage
<?php require __DIR__.'/vendor/autoload.php'; use Schnittstabil\Psr7\Csrf\MiddlewareBuilder as CsrfMiddlewareBuilder; /* * Shared secret key used for generating and validating CSRF tokens: */ $key = 'This key is not so secret - change it!'; /* * Build a stateless Synchronizer Token Pattern CSRF proptection middleware. */ $csrfMiddleware = CsrfMiddlewareBuilder::create($key) ->buildSynchronizerTokenPatternMiddleware(); /* * Build a (AngularJS compatible) stateless Cookie-To-Header CSRF proptection middleware. * * Requires additional dependency: * composer require dflydev/fig-cookies */ $csrfMiddleware = CsrfMiddlewareBuilder::create($key) ->buildCookieToHeaderMiddleware(); ?>
Slim v3 Example
- See csrf-twig-helpers for complete Slim-Twig Examples.
<?php /* * Requires additional dependency: * composer require slim/slim */ require __DIR__.'/vendor/autoload.php'; use Psr\Http\Message\RequestInterface; use Psr\Http\Message\ResponseInterface; use Slim\App; use Schnittstabil\Psr7\Csrf\MiddlewareBuilder as CsrfMiddlewareBuilder; $app = new App(); /* * CSRF protection setup */ $app->getContainer()['csrf_token_name'] = 'X-XSRF-TOKEN'; $app->getContainer()['csrf'] = function ($c) { $key = 'This key is not so secret - change it!'; return CsrfMiddlewareBuilder::create($key) ->buildSynchronizerTokenPatternMiddleware($c['csrf_token_name']); }; $app->add('csrf'); /* * GET routes are not protected (by default) */ $app->get('/', function (RequestInterface $request, ResponseInterface $response) { $name = $this->csrf_token_name; $token = $this->csrf->getTokenService()->generate(); // render HTML... $response = $response->write("<input type=\"hidden\" name=\"$name\" value=\"$token\" />"); return $response->write('successfully GET!'); }); /* * POST routes are protected (by default; same applies to PUT, DELETE and PATCH) */ $app->post('/', function (RequestInterface $request, ResponseInterface $response) { return $response->write('successfully POST'); }); /* * Run application */ $app->run(); ?>
Related
- schnittstabil/csrf-tokenservice – the underlying (stateless) token service
- schnittstabil/csrf-twig-helpers – Twig helpers for token rendering
- Slim-Csrf – stateful (session based) CSRF protection
License
MIT © Michael Mayer