PHPackages                             chiron/csrf - PHPackages - PHPackages  [Skip to content](#main-content)[PHPackages](/)[Directory](/)[Categories](/categories)[Trending](/trending)[Leaderboard](/leaderboard)[Changelog](/changelog)[Analyze](/analyze)[Collections](/collections)[Log in](/login)[Sign up](/register)

1. [Directory](/)
2. /
3. [Security](/categories/security)
4. /
5. chiron/csrf

ActiveLibrary[Security](/categories/security)

chiron/csrf
===========

Give it a nice description!

1.0.9(4y ago)05MITPHPPHP ^8.0|^8.1

Since Oct 1Pushed 3y ago1 watchersCompare

[ Source](https://github.com/ncou/csrf)[ Packagist](https://packagist.org/packages/chiron/csrf)[ GitHub Sponsors](https://github.com/ncou)[ RSS](/packages/chiron-csrf/feed)WikiDiscussions master Synced 5d ago

READMEChangelog (10)Dependencies (9)Versions (11)Used By (0)

HTTP CSRF Protection - Middleware (PSR15)
=========================================

[](#http-csrf-protection---middleware-psr15)

PSR15 Middleware to protect your application againts [Cross-Site Request Forgery](https://cheatsheetseries.owasp.org/cheatsheets/Cross-Site_Request_Forgery_Prevention_Cheat_Sheet.html)

[![Build Status](https://camo.githubusercontent.com/01bbf1825f4386e286822688843df943f7715c3609490944e4ec06744bcdfe4d/68747470733a2f2f696d672e736869656c64732e696f2f7472617669732f6e636f752f637372662f6d61737465722e7376673f7374796c653d666c61742d737175617265)](https://travis-ci.org/ncou/csrf)[![Latest Version](https://camo.githubusercontent.com/3e6c72535af926f1097fb78b6fb5070649ac7660d1349f3fe6707aa22d24bb64/68747470733a2f2f696d672e736869656c64732e696f2f6769746875622f72656c656173652f6e636f752f637372662e7376673f7374796c653d666c61742d737175617265)](https://packagist.org/packages/chiron/csrf)[![Total Downloads](https://camo.githubusercontent.com/5902ed741716ad6740794f47224f6c0b5ee90931b2b95ca1ee0753d8c4c054a1/68747470733a2f2f696d672e736869656c64732e696f2f7061636b61676973742f64742f636869726f6e2f637372662e7376673f7374796c653d666c61742d737175617265)](https://packagist.org/packages/chiron/csrf)

This middleware use the Cookies to store a token used for comparaison in each "unsafe" request (`POST`/`PUT`/`PATCH`/`DELETE`).

Why?
----

[](#why)

Because.

Installation
------------

[](#installation)

```
$ composer require chiron/csrf
```

To activate the extension:

```
[
    //...
    XXX\CsrfBootloader::class,
]
```

The extension will activate `Chiron\Csrf\Middleware\CsrfTokenMiddleware` to issue a unique token for every user request.

Enable Protection - Specific Route
----------------------------------

[](#enable-protection---specific-route)

The extension provides a middleware `CsrfProtectionMiddleware` which activates the protection on your routes (specific route or every routes). This middleware will protect all the requests for the "unsafe" methods `POST`, `PUT`, `PATCH`, `DELETE`.

```
use Chiron\Csrf\Middleware\CsrfProtectionMiddleware;

// ...

public function boot(RouterInterface $router)
{
    $route = new Route('/', new Target\Action(HomeController::class, 'index'));

    $router->setRoute(
        'index',
        $route->withMiddleware(CsrfProtectionMiddleware::class)
    );
}
```

Enable Protection - All Routes
------------------------------

[](#enable-protection---all-routes)

To activate CSRF protection on all the routes, you need to "globally" register `Chiron\Csrf\Middleware\CsrfProtectionMiddleware` via `MiddlewareQueue`:

```
use Chiron\Csrf\Middleware\CsrfProtectionMiddleware;

// ...

public function boot(MiddlewareQueue $middlewares)
{
    $middlewares->addMiddleware(CsrfProtectionMiddleware::class);
}
```

Usage
-----

[](#usage)

Once the protection is activated, you must sign every request with the token available via PSR-7 attribute `csrfToken`.

To receive this token in the controller or view:

```
public function index(ServerRequestInterface $request)
{
    $csrfToken = $request->getAttribute('csrfToken');
}
```

Every `POST`/`PUT`/`PATCH`/`DELETE` request from the user must include this token as POST parameter `csrf-token` or header `X-CSRF-Token`.

Users will receive an error `403 Forbidden` if a token is missing.

Users will receive an error `412 Precondition Failed` if the token has been tampered (and the cookie will be deleted).

```
public function index(ServerRequestInterface $request)
{
    $form = '

    ';

    $form = str_replace(
        '{csrfToken}',
        $request->getAttribute('csrfToken'),
        $form
    );

    return $form;
}
```

TODO
----

[](#todo)

- Add documentation on the "csrf\_token()" helper.
- Create a TwigExtension class to add the csrf\_token.

###  Health Score

28

—

LowBetter than 54% of packages

Maintenance20

Infrequent updates — may be unmaintained

Popularity4

Limited adoption so far

Community7

Small or concentrated contributor base

Maturity69

Established project with proven stability

 Bus Factor1

Top contributor holds 100% of commits — single point of failure

How is this calculated?**Maintenance (25%)** — Last commit recency, latest release date, and issue-to-star ratio. Uses a 2-year decay window.

**Popularity (30%)** — Total and monthly downloads, GitHub stars, and forks. Logarithmic scaling prevents top-heavy scores.

**Community (15%)** — Contributors, dependents, forks, watchers, and maintainers. Measures real ecosystem engagement.

**Maturity (30%)** — Project age, version count, PHP version support, and release stability.

###  Release Activity

Cadence

Every ~46 days

Recently: every ~84 days

Total

10

Last Release

1630d ago

PHP version history (2 changes)1.0PHP ^7.2

1.0.9PHP ^8.0|^8.1

### Community

Maintainers

![](https://avatars.githubusercontent.com/u/16743322?v=4)[ncou](/maintainers/ncou)[@ncou](https://github.com/ncou)

---

Top Contributors

[![ncou](https://avatars.githubusercontent.com/u/16743322?v=4)](https://github.com/ncou "ncou (31 commits)")

---

Tags

cross-site-request-forgerycsrfmiddlewareprotectionpsr15token

###  Code Quality

TestsPHPUnit

Static AnalysisPHPStan

Type Coverage Yes

### Embed Badge

![Health badge](/badges/chiron-csrf/health.svg)

```
[![Health](https://phpackages.com/badges/chiron-csrf/health.svg)](https://phpackages.com/packages/chiron-csrf)
```

###  Alternatives

[defuse/php-encryption

Secure PHP Encryption Library

3.9k162.4M214](/packages/defuse-php-encryption)[roave/security-advisories

Prevents installation of composer packages with known security vulnerabilities: no API, simply require it

2.9k97.3M6.4k](/packages/roave-security-advisories)[mews/purifier

Laravel 5/6/7/8/9/10 HtmlPurifier Package

2.0k16.7M113](/packages/mews-purifier)[robrichards/xmlseclibs

A PHP library for XML Security

41278.1M118](/packages/robrichards-xmlseclibs)[bjeavons/zxcvbn-php

Realistic password strength estimation PHP library based on Zxcvbn JS

86917.5M63](/packages/bjeavons-zxcvbn-php)[illuminate/encryption

The Illuminate Encryption package.

9229.7M280](/packages/illuminate-encryption)

PHPackages © 2026

[Directory](/)[Categories](/categories)[Trending](/trending)[Changelog](/changelog)[Analyze](/analyze)