CSRF Protection

[Since 0.5.0]

Introduction

Read this article from Wikipedia to learn what a Cross-site request forgery is.

To protect your application for CSRF attacks, consider the following.

Form

You should add a hidden field with a CSRF token in each form like this:

<input name="_token" value="{{csrf_token()}}" type="hidden"/>

Middleware

Pletfix provides a middleware out of the box to check the CSRF token. You may add this middleware into your route file like this:

$route->middleware('csrf');

If you have bind the CSRF middleware like above, a POST request are only accepted if it has a valid CSRF token.

Ajax

The csrf middleware read the token also from the header "X-CSRF-TOKEN". Therefore, if you use the jQuery library, you could set the CSRF token globally like this to send the token by every request automatically:

$.ajaxSetup({
    headers: {
        'X-CSRF-TOKEN': $('meta[name="csrf-token"]').attr('content')
    }
});

If you have installed the Pletfix Application Skeleton, this setup above is already done.


(edit on GitHub)