PHPackages dunglas/angular-csrf-bundle - PHPackages - PHPackages [Skip to content](#main-content)[PHPackages](/)[Directory](/)[Categories](/categories)[Trending](/trending)[Leaderboard](/leaderboard)[Changelog](/changelog)[Analyze](/analyze)[Collections](/collections)[Log in](/login)[Sign up](/register) 1. [Directory](/) 2. / 3. [Security](/categories/security) 4. / 5. dunglas/angular-csrf-bundle AbandonedArchivedSymfony-bundle[Security](/categories/security) dunglas/angular-csrf-bundle =========================== CSRF protection when using AngularJS with Symfony2 v1.2.0(7y ago)147807.3k↓13.4%322MITPHPPHP >=7.0 Since Jan 1Pushed 5y ago5 watchersCompare [ Source](https://github.com/dunglas/DunglasAngularCsrfBundle)[ Packagist](https://packagist.org/packages/dunglas/angular-csrf-bundle)[ Docs](https://api-platform.com)[ RSS](/packages/dunglas-angular-csrf-bundle/feed)WikiDiscussions master Synced 1mo ago READMEChangelog (4)Dependencies (13)Versions (6)Used By (2) JavaScript CSRF Protection Bundle ================================= [](#javascript-csrf-protection-bundle) **Archived!** Now that all modern browsers implement `SameSite` cookies and the `Origin` HTTP header, this bundle is - in most cases - not necessary anymore. **[Learn how to protect your Symfony APIs from CSRF attacks](https://symfonycasts.com/screencast/reactjs/csrf-protection?cid=apip#do-apis-need-protection).** If you need to maintain old applications, take a look to [DneustadtCsrfCookieBundle](https://github.com/dneustadt/DneustadtCsrfCookieBundle). This [API Platform](http://api-platform.com) and [Symfony](http://symfony.com) bundle provides automatic [Cross Site Request Forgery](http://en.wikipedia.org/wiki/Cross-site_request_forgery) (CSRF or XSRF) protection for client-side applications. Despite the name, it works with any client-side technology including [Angular](https://angular.io/), [React](https://facebook.github.io/react/), [Vue.js](https://vuejs.org/) and [jQuery](https://jquery.com/). Actually, any JavaScript code issuing [XMLHttpRequest](https://developer.mozilla.org/en-US/docs/Web/API/XMLHttpRequest) or using [the Fetch API](https://developer.mozilla.org/en-US/docs/Web/API/Fetch_API) can leverage this bundle. [![Build Status](https://camo.githubusercontent.com/acab8d25c88854690b6a2d58fec605c7d360a9a28574cc9b9a906c567dad082c/68747470733a2f2f7472617669732d63692e6f72672f64756e676c61732f44756e676c6173416e67756c61724373726642756e646c652e706e673f6272616e63683d6d6173746572)](https://travis-ci.org/dunglas/DunglasAngularCsrfBundle)[![SensioLabsInsight](https://camo.githubusercontent.com/c878dfcbddb045a95517809ccd6d1495cdc0a010076b9494001dccd7e68972a4/68747470733a2f2f696e73696768742e73656e73696f6c6162732e636f6d2f70726f6a656374732f34613165343338662d303338652d346364372d616236652d3838343963343538366130382f6d696e692e706e67)](https://insight.sensiolabs.com/projects/4a1e438f-038e-4cd7-ab6e-8849c4586a08)[![Dependency Status](https://camo.githubusercontent.com/ba4e5f3d2089435f66b27885e6faf7524c732096051961f23c728da5a9a67ad0/68747470733a2f2f7777772e76657273696f6e6579652e636f6d2f757365722f70726f6a656374732f3535383364333930333633383631303031353030303264642f62616467652e7376673f7374796c653d666c6174)](https://www.versioneye.com/user/projects/5583d39036386100150002dd)[![StyleCI](https://camo.githubusercontent.com/f0994451ae453b9946ae22a885be85fc0e5c25a2e4ab375a9aa921e31558cb3b/68747470733a2f2f7374796c6563692e696f2f7265706f732f31353535323933382f736869656c643f6272616e63683d6d6173746572)](https://styleci.io/repos/15552938) How it Works ------------ [](#how-it-works) Thanks to this bundle, the server-side application (the Symfony app) will automatically set a cookie named `XSRF-Token`containing a unique token during the first HTTP response sent to the browser. Subsequent asynchronous requests made by the JavaScript app with `xhr` or `fetch` send back the value of the cookie in a special HTTP header named `X-XSRF-Token`. To prevent CSRF attacks, the bundle will check that the header's value match the cookie's value. This way, it will be able to detect and block CSRF attacks. AngularJS (v1)'s `ng.$http` service has [a built-in support for this CSRF protection system](http://docs.angularjs.org/api/ng.$http#description_security-considerations_cross-site-request-forgery-protection). If you use another framework or HTTP client (such as [Axios](https://github.com/axios/axios)), you just need to read the cookie value and add the HTTP header containing it by yourself. This bundle provides a [Symfony's Event Listener](http://symfony.com/doc/current/cookbook/service_container/event_listener.html)that set the cookie and another one that checks the HTTP header to block CSRF attacks. Thanks to DunglasAngularCsrfBundle, you get CSRF security without modifying your code base. This bundle works fine with both [API Platform](https://api-platform.com) and [FOSRestBundle](https://github.com/FriendsOfSymfony/FOSRestBundle). Installation ------------ [](#installation) Use [Composer](http://getcomposer.org/) to install this bundle: ``` composer require dunglas/angular-csrf-bundle ``` If you use Symfony Flex, you're done. Otherwise add the bundle in your application kernel: ``` // app/AppKernel.php public function registerBundles() { return array( // ... new Dunglas\AngularCsrfBundle\DunglasAngularCsrfBundle(), // ... ); } ``` Configure URLs where the cookie must be set and that must be protected against CSRF attacks: ``` # app/config/security.yml dunglas_angular_csrf: # Collection of patterns where to set the cookie cookie: set_on: - { path: ^/$ } - { route: ^app_, methods: [GET, HEAD] } - { host: example.com } # Collection of patterns to secure secure: - { path: ^/api, methods: [POST, PUT, PATCH, LINK] } - { route: ^api_v2_ } - { host: example.com, methods: [POST, PUT, PATCH, DELETE, LINK] } # Collection of patterns to exclude exclude: - { path: ^/api/exclude, methods: [POST, PUT, PATCH, LINK] } - { route: ^api_v2_exclude } - { host: exclude-example.com, methods: [POST, PUT, PATCH, DELETE, LINK] } ``` Your app is now secured. Examples -------- [](#examples) - [DunglasTodoMVCBundle](https://github.com/dunglas/DunglasTodoMVCBundle): an implementation of the TodoMVC app using Symfony, Backbone.js and Chaplin.js Full Configuration ------------------ [](#full-configuration) ``` dunglas_angular_csrf: token: # The CSRF token id id: angular header: # The name of the HTTP header to check (default to the AngularJS default) name: X-XSRF-TOKEN cookie: # The name of the cookie to set (default to the AngularJS default) name: XSRF-TOKEN # Expiration time of the cookie expire: 0 # Path of the cookie path: / # Domain of the cookie domain: ~ # If true, set the cookie only on HTTPS connection secure: false # Patterns of URLs to set the cookie set_on: - { path: "^/url-pattern", route: "^route_name_pattern$", host: "example.com", methods: [GET, POST] } # Patterns of URLs to check for a valid CSRF token secure: - { path: "^/url-pattern", route: "^route_name_pattern$", host: "example.com", methods: [GET, POST] } # Patterns to exclude from secure routes exclude: - { path: "^/url-pattern/exclude", route: "^route_name_pattern$", host: "example.com", methods: [GET, POST] } ``` Integration with the Symfony Form Component ------------------------------------------- [](#integration-with-the-symfony-form-component) When using the Symfony Form Component together with DunglasAngularCsrfBundle, the bundle will automatically disable the built-in form CSRF protection only if the CSRF token provided by the header is valid. If no CSRF header is found or if the token is invalid, the form CSRF protection will not be disabled by the bundle. If you want your form to be validated only by the form component system, make sure to remove its URL from the config. Credits ------- [](#credits) This bundle has been created by [Kévin Dunglas](http://dunglas.fr). ### Health Score 44 — FairBetter than 92% of packages Maintenance20 Infrequent updates — may be unmaintained Popularity53 Moderate usage in the ecosystem Community27 Small or concentrated contributor base Maturity62 Established project with proven stability Bus Factor1 Top contributor holds 72.3% of commits — single point of failure How is this calculated?**Maintenance (25%)** — Last commit recency, latest release date, and issue-to-star ratio. Uses a 2-year decay window. **Popularity (30%)** — Total and monthly downloads, GitHub stars, and forks. Logarithmic scaling prevents top-heavy scores. **Community (15%)** — Contributors, dependents, forks, watchers, and maintainers. Measures real ecosystem engagement. **Maturity (30%)** — Project age, version count, PHP version support, and release stability. ### Release Activity Cadence Every ~487 days Total 5 Last Release 2569d ago Major Versions v0.1.0 → v1.0.02015-11-04 PHP version history (2 changes)v0.1.0PHP >=5.3.3 v1.1.0PHP >=7.0 ### Community Maintainers ![](https://avatars.githubusercontent.com/u/57224?v=4)[Kévin Dunglas](/maintainers/dunglas)[@dunglas](https://github.com/dunglas) --- Top Contributors [![dunglas](https://avatars.githubusercontent.com/u/57224?v=4)](https://github.com/dunglas "dunglas (47 commits)")[![defrag](https://avatars.githubusercontent.com/u/15900?v=4)](https://github.com/defrag "defrag (5 commits)")[![marein](https://avatars.githubusercontent.com/u/1128786?v=4)](https://github.com/marein "marein (3 commits)")[![norkunas](https://avatars.githubusercontent.com/u/2722872?v=4)](https://github.com/norkunas "norkunas (2 commits)")[![leevigraham](https://avatars.githubusercontent.com/u/25124?v=4)](https://github.com/leevigraham "leevigraham (2 commits)")[![B-Galati](https://avatars.githubusercontent.com/u/895123?v=4)](https://github.com/B-Galati "B-Galati (1 commits)")[![Uriziel](https://avatars.githubusercontent.com/u/1389837?v=4)](https://github.com/Uriziel "Uriziel (1 commits)")[![chrisguitarguy](https://avatars.githubusercontent.com/u/1010392?v=4)](https://github.com/chrisguitarguy "chrisguitarguy (1 commits)")[![iambrosi](https://avatars.githubusercontent.com/u/297102?v=4)](https://github.com/iambrosi "iambrosi (1 commits)")[![mateuszsip](https://avatars.githubusercontent.com/u/1377075?v=4)](https://github.com/mateuszsip "mateuszsip (1 commits)")[![nd-roy](https://avatars.githubusercontent.com/u/1609522?v=4)](https://github.com/nd-roy "nd-roy (1 commits)") --- Tags angularangularjsaxioscsrfcsrf-attackscsrf-protectionjqueryphpreactsymfonysymfony-bundlevuexsrfsecurityreactcsrfangularVue.jsxsrf ### Code Quality TestsBehat ### Embed Badge ![Health badge](/badges/dunglas-angular-csrf-bundle/health.svg) ``` [![Health](https://phpackages.com/badges/dunglas-angular-csrf-bundle/health.svg)](https://phpackages.com/packages/dunglas-angular-csrf-bundle) ``` ### Alternatives [dneustadt/csrf-cookie-bundle CSRF protection cookie for use with XHR 1379.2k1](/packages/dneustadt-csrf-cookie-bundle)[symfony/security-bundle Provides a tight integration of the Security component into the Symfony full-stack framework 2.5k172.9M1.8k](/packages/symfony-security-bundle)[sylius/sylius E-Commerce platform for PHP, based on Symfony framework. 8.4k5.6M651](/packages/sylius-sylius)[prestashop/prestashop PrestaShop is an Open Source e-commerce platform, committed to providing the best shopping cart experience for both merchants and customers. 9.0k15.4k](/packages/prestashop-prestashop)[scheb/2fa Two-factor authentication for Symfony applications (please use scheb/2fa-bundle to install) 578630.7k1](/packages/scheb-2fa)[contao/core-bundle Contao Open Source CMS 1231.6M2.4k](/packages/contao-core-bundle) PHPackages © 2026 [Directory](/)[Categories](/categories)[Trending](/trending)[Changelog](/changelog)[Analyze](/analyze)