PHP download

Download the PHP package lithemod/csrf without Composer

On this page you can find all versions of the php package lithemod/csrf. It is possible to download/install these versions without Composer. Possible dependencies are resolved automatically.

Table of contents
Download lithemod/csrf
More information about lithemod/csrf
Files in lithemod/csrf

Vendor lithemod
Package csrf
Short Description The CSRF (Cross-Site Request Forgery) middleware in Lithe protects your application from attacks that attempt to perform actions on behalf of the user without their authorization.
License MIT

FAQ

After the download, you have to make one include require_once('vendor/autoload.php');. After that you have to import the classes with use statements.

Example:

If you use only one package a project is not needed. But if you use more then one package, without a project it is not possible to import the classes with use statements.

In general, it is recommended to use always a project to download your libraries. In an application normally there is more than one library needed.

Some PHP packages are not free to download and because of that hosted in private repositories. In this case some credentials are needed to access such packages. Please use the auth.json textarea to insert credentials, if a package is coming from a private repository. You can look here for more information.

Some hosting areas are not accessible by a terminal or SSH. Then it is not possible to use Composer.
To use Composer is sometimes complicated. Especially for beginners.
Composer needs much resources. Sometimes they are not available on a simple webspace.
If you are using private repositories you don't need to share your credentials. You can set up everything on our site and then you provide a simple download link to your team member.
Simplify your Composer build process. Use our own command line tool to download the vendor folder as binary. This makes your build process faster and you don't need to expose your credentials for private repositories.

Please rate this library. Is it a good library?

Example code of lithemod/csrf

Informations about the package csrf

CSRF

The CSRF (Cross-Site Request Forgery) middleware in Lithe is a security layer that protects your application from attacks that attempt to perform actions on behalf of the user without their authorization. These attacks can occur when an authenticated user accesses a malicious site that tries to send requests to your application.

Installation

To install the CSRF middleware in your Lithe application, use Composer. Run the following command in your terminal:

Using the CSRF Middleware

The CSRF middleware should be configured in your Lithe application to protect routes that alter the state of the application (such as POST, PUT, DELETE). To configure it, add it to your application using the use() method on an instance of the Lithe application, and provide an array of configurations:

Middleware Configurations

The following configurations are available for the CSRF middleware:

name (string): The name of the CSRF token. The default is _token. You can change it to meet your needs, for example, if you are using a frontend framework that expects a different token name.
expire (int): The expiration time of the token in seconds. The default is 600 seconds (10 minutes). This value should be balanced between security and usability; very low values may frustrate users.
checkBody (bool): Indicates whether the token should be verified in the request body. The default is false. If enabled, this ensures that the token is validated even in methods like PUT or DELETE.
bodyMethods (array): HTTP methods for which token validation should be applied if the checkBody configuration is enabled. The default is ['POST']. This is useful if you have endpoints that modify data using other HTTP methods.
regenerate (bool): Indicates whether the token should be regenerated on each request. The default is false. Enabling this can enhance security, but it may impact user experience in some cases.

Example configuration in a route:

Generating and Retrieving CSRF Tokens

The CSRF middleware generates a unique token for each session. You can generate and retrieve the token using the following methods within a route:

The generateToken method has an optional parameter that, when set to true, forces the generation of a new token.

Including the CSRF Token in Forms

To include the CSRF token in HTML forms, use the getTokenField() method to generate a hidden field with the token:

Verifying CSRF Tokens

The middleware automatically verifies the token in POST requests and other methods specified in bodyMethods when the checkBody option is enabled. If the token is invalid or missing, an HTTP 419 exception will be thrown. If checkBody is disabled, you can use the following methods to verify the validity of the token:

Token Manipulation Functions

Here are some useful functions for CSRF token manipulation:

invalidate(): Destroys the CSRF token and its associated session variable, invalidating it.
exists(): Checks if a CSRF token exists in the session.

Security Considerations

Application Security: Using the CSRF middleware is essential for application security. Always include the token in all forms that submit modifiable data and in AJAX requests. The absence or invalidity of the token should be handled appropriately, usually resulting in redirects or error messages.
Token Expiration: Configure the token expiration time to balance security and usability. Expired tokens should be regenerated, and the user should be notified if they attempt to use an invalid token.
Body Verification: Enabling body verification (checkBody) increases security, especially in APIs that use methods like PUT and DELETE. However, this may add overhead to request processing, so evaluate your application’s needs.
Token Regeneration: Enabling token regeneration on each request increases security, but it can also cause issues if users attempt to submit forms quickly. Use this with caution and test to ensure an adequate user experience.
Error Handling: Be prepared to handle HTTP 419 exceptions thrown when the CSRF token is invalid or missing. Appropriate handling may include redirecting to an error page, displaying a user-friendly message, or even logging attack attempts for later analysis.
Monitoring and Analysis: Consider implementing logging to monitor CSRF attack attempts. This can help identify suspicious patterns and further strengthen your application’s security.

All versions of csrf with dependencies

PHP Build Version

Package Version

Version v1.0.1 Release 04. Oct 2024
create-project require 0 people chose require and
0 people chose create-project.

Download

Download latest version of csrf from vendor lithemod

Requires lithemod/flow Version ^1.0
lithemod/session-support Version ^1.0
lithemod/log Version ^1.0
lithemod/httpexception Version ^1.0

Composer command for our command line client (download client) This client runs in each environment. You don't need a specific PHP version etc. The first 20 API calls are free. Standard composer command

The package lithemod/csrf contains the following files

Loading the files please wait ....