-
Notifications
You must be signed in to change notification settings - Fork 89
Home
OWASP CSRF Protector Project is an effort by a group of developers in securing web applications against Cross Site Request Forgery (CSRF), providing php library and an Apache 2.x.x Module (mod_csrfprotector) (to be used differently) for easy mitigation.
CSRFP-php library is a standalone php library that can be used to mitigate CSRF in web application. It works as a server side interceptor, such that every request is processed by CSRFP before its actually processed by the web application logic. This facilitates, the validation of incoming request for CSRF token. Our logic is based on a Pseudo Random Code. Upon successful validation request is forwarded to the web application. Otherwise, actions are taken as per configuration (see configurations)
Similarly, every output generated by the web application is filtered & modified by the library. The main task is to append a javascript code to the output generated. This is done by output buffering in php. Along with this a <noscript> information is appended for those browsers that do not support javascript.
Note: We support nojs as well, check nojs branch for this. However, its advised to use master version, if your web app requires javascript to be enabled in client browser, See why?
The javascript code attached to the html output makes sure the token is attached with every request (for which token is required by server).
Note: Currently CSRFP validates every POST request and those GET requests for which url patterns are allowed as per configuration
The library is supported for php versions starting from php 5.4.
- Static form elements (
<form>) - Dynamically generated forms
- AJAX requests (
XHRorXMLHttpRequest) - Static urls (if allowed by configuration rules)
Here is list of our resources you my need to deploy/integrate csrfp in your web application
- IMPORTANT setting up CSRFP - php library
- How to use?
- Changing CSRFP configuration and behavior
- High Level Design Documentation
- Low Level Design Documentation
- Library Documentation
- Setting rules for GET request validation
- CSRF token
- Overriding logging function
- Js version versus NOJS version
- What to do if token expires
PS: wiki still under development. Please create a Github issue for any correction.