PHPackages                             dneustadt/csrf-cookie-bundle - PHPackages - PHPackages  [Skip to content](#main-content)[PHPackages](/)[Directory](/)[Categories](/categories)[Trending](/trending)[Leaderboard](/leaderboard)[Changelog](/changelog)[Analyze](/analyze)[Collections](/collections)[Log in](/login)[Sign up](/register)

1. [Directory](/)
2. /
3. [Security](/categories/security)
4. /
5. dneustadt/csrf-cookie-bundle

ActiveSymfony-bundle[Security](/categories/security)

dneustadt/csrf-cookie-bundle
============================

CSRF protection cookie for use with XHR

1.0.7(2y ago)1379.2k↓40%7[1 PRs](https://github.com/dneustadt/DneustadtCsrfCookieBundle/pulls)1MITPHPPHP &gt;=7.2.5

Since Oct 2Pushed 2y ago2 watchersCompare

[ Source](https://github.com/dneustadt/DneustadtCsrfCookieBundle)[ Packagist](https://packagist.org/packages/dneustadt/csrf-cookie-bundle)[ Docs](https://neustadt.dev)[ RSS](/packages/dneustadt-csrf-cookie-bundle/feed)WikiDiscussions main Synced 1mo ago

READMEChangelog (8)Dependencies (5)Versions (9)Used By (1)

CSRF Cookie Bundle
==================

[](#csrf-cookie-bundle)

This [Symfony](http://symfony.com) bundle provides [Cross Site Request Forgery](http://en.wikipedia.org/wiki/Cross-site_request_forgery)(CSRF or XSRF) protection for client-side applications requesting endpoints provided by Symfony through XHR.

Heavily influenced and inspired by [DunglasAngularCsrfBundle](https://github.com/dunglas/DunglasAngularCsrfBundle)

Requirements
------------

[](#requirements)

- Symfony &gt;= 5.x

Working method
--------------

[](#working-method)

To store the CSRF token client-side a cookie containing the token can be set by one or more predetermined routes. The bundle is pre-configured in a way that modern client-side http clients such as [Axios](https://github.com/axios/axios)will automatically pick up said cookie. On subsequent requests to Symfony the CSRF token can then be added to the HTTP header to be validated server-side. Again, some clients may already do so automatically e.g. Axios.

Installation
------------

[](#installation)

Use [Composer](http://getcomposer.org/) to install this bundle:

```
composer require dneustadt/csrf-cookie-bundle

```

General Configuration
---------------------

[](#general-configuration)

```
# config/packages/dneustadt_csrf_cookie.yaml
dneustadt_csrf_cookie:
    # Generally enable/disable the CSRF protection
    enable: true
    # ID used to generate token
    id: csrf
    # Name of the cookie the token is stored in
    name: XSRF-TOKEN
    # Cookie expiration
    expire: 0
    # Cookie path
    path: /
    # Cookie domain
    domain: null
    # Cookie HttpOnly
    httpOnly: true
    # Cookie secure
    secure: false
    # Name of the HTTP header the token is expected to be stored in
    header: X-XSRF-TOKEN
    # Cookie same site policy
    sameSite: lax
```

Routes Configurations
---------------------

[](#routes-configurations)

Routes can be set up to either provide (`create`) a token, be secured by (`require`) a token or both.

Since the defaults of a single route or a route collection are used to configure the behaviour it is possible to do so either by means of configuration files or annotations.

```
# config/routes.yaml
api_controllers:
    resource: ../src/Controller/Api
    type: annotation
    defaults:
        csrf:
            # bool or array of allowed methods
            create: true
            # bool or array of allowed methods
            require:
                - 'POST'
                - 'PUT'
                - 'PATCH'
                - 'DELETE'
            # array of route names to be excluded from create/require in this collection
            exclude:
                - 'app_api_blog_index'
            # additional condition using ExpressionLanguage syntax
            condition: 'request.isXmlHttpRequest()'
```

For more information on conditions see [ExpressionLanguage](https://symfony.com/doc/current/components/expression_language.html)

As annotation:

```
// src/Controller/Api/ExampleController.php
namespace App\Controller\Api;

// ...

class ExampleController extends AbstractController
{
    /**
     * @Route("/api/index", methods={"GET","HEAD"}, defaults={"csrf": {"create": true}})
     */
    public function index()
    {
        // ...
    }
}
```

Symfony Form Component
----------------------

[](#symfony-form-component)

Built-in CSRF Protection of forms will be automatically disabled for routes that are configured to be secured by means of the token stored in the HTTP header, provided said token can be successfully validated.

###  Health Score

35

—

LowBetter than 80% of packages

Maintenance20

Infrequent updates — may be unmaintained

Popularity39

Limited adoption so far

Community17

Small or concentrated contributor base

Maturity54

Maturing project, gaining track record

 Bus Factor1

Top contributor holds 80% of commits — single point of failure

How is this calculated?**Maintenance (25%)** — Last commit recency, latest release date, and issue-to-star ratio. Uses a 2-year decay window.

**Popularity (30%)** — Total and monthly downloads, GitHub stars, and forks. Logarithmic scaling prevents top-heavy scores.

**Community (15%)** — Contributors, dependents, forks, watchers, and maintainers. Measures real ecosystem engagement.

**Maturity (30%)** — Project age, version count, PHP version support, and release stability.

###  Release Activity

Cadence

Every ~141 days

Recently: every ~111 days

Total

8

Last Release

1062d ago

### Community

Maintainers

![](https://www.gravatar.com/avatar/69c1745bd6023c706f651e9bdb38515fc7678caf52b9580126141381168669cd?d=identicon)[dneustadt](/maintainers/dneustadt)

---

Top Contributors

[![dneustadt](https://avatars.githubusercontent.com/u/9033214?v=4)](https://github.com/dneustadt "dneustadt (16 commits)")[![mercuryseries](https://avatars.githubusercontent.com/u/5163810?v=4)](https://github.com/mercuryseries "mercuryseries (3 commits)")[![chrisguitarguy](https://avatars.githubusercontent.com/u/1010392?v=4)](https://github.com/chrisguitarguy "chrisguitarguy (1 commits)")

---

Tags

ajaxangularaxioscsrfreactsecurityvuexhrxsrfsecurityajaxreactcsrfangularVue.jsxhrxsrfaxios

### Embed Badge

![Health badge](/badges/dneustadt-csrf-cookie-bundle/health.svg)

```
[![Health](https://phpackages.com/badges/dneustadt-csrf-cookie-bundle/health.svg)](https://phpackages.com/packages/dneustadt-csrf-cookie-bundle)
```

###  Alternatives

[symfony/security-bundle

Provides a tight integration of the Security component into the Symfony full-stack framework

2.5k172.9M1.8k](/packages/symfony-security-bundle)[sylius/sylius

E-Commerce platform for PHP, based on Symfony framework.

8.4k5.6M651](/packages/sylius-sylius)[prestashop/prestashop

PrestaShop is an Open Source e-commerce platform, committed to providing the best shopping cart experience for both merchants and customers.

9.0k15.4k](/packages/prestashop-prestashop)[scheb/2fa

Two-factor authentication for Symfony applications (please use scheb/2fa-bundle to install)

578630.7k1](/packages/scheb-2fa)[contao/core-bundle

Contao Open Source CMS

1231.6M2.4k](/packages/contao-core-bundle)[tilleuls/url-signer-bundle

Create and validate signed URLs with a limited lifetime in Symfony

81340.1k](/packages/tilleuls-url-signer-bundle)

PHPackages © 2026

[Directory](/)[Categories](/categories)[Trending](/trending)[Changelog](/changelog)[Analyze](/analyze)