Download the PHP package slim/csrf without Composer
On this page you can find all versions of the php package slim/csrf. It is possible to download/install these versions without Composer. Possible dependencies are resolved automatically.
Package csrf
Short Description Slim Framework 4 CSRF protection PSR-15 middleware
License MIT
Homepage https://www.slimframework.com
Informations about the package csrf
Slim Framework CSRF Protection
This repository contains a Slim Framework CSRF protection PSR-15 middleware. CSRF protection applies to all unsafe HTTP requests (POST, PUT, DELETE, PATCH).
You can fetch the latest CSRF token's name and value from the Request object with its getAttribute()
method. By default, the CSRF token's name is stored in the csrf_name
attribute, and the CSRF token's value is stored in the csrf_value
attribute.
Install
Via Composer
Requires Slim 4.0.0 or newer.
Usage
In most cases you want to register Slim\Csrf for all routes, however, as it is middleware, you can also register it for a subset of routes.
Register for all routes
Register per route
Manual usage
If you are willing to use Slim\Csrf\Guard
outside a Slim\App
or not as a middleware, be careful to validate the storage:
Token persistence
By default, Slim\Csrf\Guard
will generate a fresh name/value pair after each request. This is an important security measure for certain situations. However, in many cases this is unnecessary, and a single token throughout the user's session will suffice. By using per-session requests it becomes easier, for example, to process AJAX requests without having to retrieve a new CSRF token (by reloading the page or making a separate request) after each request. See issue #49.
To use persistent tokens, set the sixth parameter of the constructor to true
. No matter what, the token will be regenerated after a failed CSRF check. In this case, you will probably want to detect this condition and instruct your users to reload the page in their legitimate browser tab (or automatically reload on the next failed request).
Accessing the token pair in templates (Twig, etc)
In many situations, you will want to access the token pair without needing to go through the request object. In these cases, you can use getTokenName()
and getTokenValue()
directly on the Guard
middleware instance. This can be useful, for example in a Twig extension:
Once you have registered your extension, you may access the token pair in any template:
Handling validation failure
By default, Slim\Csrf\Guard
will return a Response with a 400 status code and
a simple plain text error message.
To override this, provide a callable as the third parameter to the constructor
or via setFailureHandler()
. This callable has the same signature as
middleware: function($request, $handler)
and must return a Response.
For example:
In this example, an attribute is set on the request object that can then be checked in subsequent middleware or the route callable using:
Testing
Contributing
Please see CONTRIBUTING for details.
Security
If you discover any security related issues, please email [email protected] instead of using the issue tracker.
Credits
- Josh Lockhart
- All Contributors
- Initial inspiration from OWASP
License
The MIT License (MIT). Please see License File for more information.
All versions of csrf with dependencies
psr/http-factory Version ^1.1
psr/http-message Version ^1.0 || ^2.0
psr/http-server-handler Version ^1.0
psr/http-server-middleware Version ^1.0