PHPackages                             inventor96/mako-csrf - PHPackages - PHPackages  [Skip to content](#main-content)[PHPackages](/)[Directory](/)[Categories](/categories)[Trending](/trending)[Leaderboard](/leaderboard)[Changelog](/changelog)[Analyze](/analyze)[Collections](/collections)[Log in](/login)[Sign up](/register)

1. [Directory](/)
2. /
3. [Security](/categories/security)
4. /
5. inventor96/mako-csrf

ActiveLibrary[Security](/categories/security)

inventor96/mako-csrf
====================

A middleware wrapper around Mako's session tokens as an anti-CSRF mechanism.

v1.0.1(1y ago)015MITPHPPHP ~8.1.0|~8.2.0|~8.3.0

Since Oct 29Pushed 1mo ago1 watchersCompare

[ Source](https://github.com/inventor96/mako-csrf)[ Packagist](https://packagist.org/packages/inventor96/mako-csrf)[ RSS](/packages/inventor96-mako-csrf/feed)WikiDiscussions main Synced 1mo ago

READMEChangelog (4)Dependencies (1)Versions (3)Used By (0)

Mako CSRF
=========

[](#mako-csrf)

A middleware wrapper around Mako's [session tokens](https://makoframework.com/docs/10.0/learn-more:sessions#usage:security) as an anti-CSRF mechanism.

Installation
------------

[](#installation)

1. Install the composer package:

    ```
    composer require inventor96/mako-csrf
    ```
2. Enable the package in Mako:
    `app/config/application.php`:

    ```
    [
        'packages' => [
            'web' => [
                \inventor96\MakoCSRF\CSRFPackage::class
            ],
        ],
    ];
    ```
3. Register the middleware: `app/http/routing/middleware.php`:

    ```
    $dispatcher->registerGlobalMiddleware(\inventor96\MakoCSRF\CSRFMiddleware::class);
    ```

    It's also recommended you set a priority lower than the Mako default of 100: `app/http/routing/middleware.php`:

    ```
    $dispatcher->setMiddlewarePriority(\inventor96\MakoCSRF\CSRFMiddleware::class, 25);
    ```

    At a bare minimum, it should be processed before any other middleware that might cause a change in application.

Configuration
-------------

[](#configuration)

The default configuration works out of the box, but you may want to change these values for the sake of obfuscation. If you would like to override the default configuration, create a new file at `app/config/packages/csrf/csrf.php`.

The following configuration items and their defaults are as follows:

```
return [
	/*
	 * ---------------------------------------------------------
	 * Form name
	 * ---------------------------------------------------------
	 *
	 * The name of the form field that will contain the CSRF token.
	 * This applies to both the generated HTML element, as well as the field that is checked in the middleware.
	 */
	'form_name' => 'mako_csrf_token',

	/*
	 * ---------------------------------------------------------
	 * View variable name
	 * ---------------------------------------------------------
	 *
	 * The name of the variable that will be made available in views to contain the CSRF token.
	 */
	'view_var_name' => 'mako_csrf_token',

	/*
	 * ---------------------------------------------------------
	 * Missing token message
	 * ---------------------------------------------------------
	 *
	 * The message of the `BadRequestException` when the CSRF token is missing.
	 */
	'missing_token_message' => 'The CSRF token is missing.',

	/*
	 * ---------------------------------------------------------
	 * Bad token message
	 * ---------------------------------------------------------
	 *
	 * The message of the `BadRequestException` when the CSRF token is invalid.
	 */
	'bad_token_message' => 'The CSRF token is invalid.',
];
```

Usage
-----

[](#usage)

### Middleware

[](#middleware)

The middleware will automatically require a valid CSRF token for any state-changing HTTP verb (e.g. `POST`, `DELETE`, etc.), and act as a pass-thru for others (e.g. `GET`, `HEAD`, etc.). To override this in either direction, you'll need to override the configuration on a per-route basis using the `$required` parameter.

```
$routes->post('/articles/{id}', [Articles::class, 'update'])
    ->middleware(CSRFMiddleware::class, required: false);
```

### Views

[](#views)

There are two variables made available in views, and both are based on the `view_var_name` config option. If you change the config option, replace `mako_csrf_token` with your new value in the following examples:

- `$mako_csrf_token`: The CSRF token value itself.
- `$mako_csrf_token_input`: An HTML hidden input element containing the CSRF token with the `name` attribute set to the `form_name` config option. This can be used directly in HTML forms. ```

        {{ raw:$mako_csrf_token_input }}

    ```

###  Health Score

37

—

LowBetter than 82% of packages

Maintenance73

Regular maintenance activity

Popularity6

Limited adoption so far

Community7

Small or concentrated contributor base

Maturity54

Maturing project, gaining track record

 Bus Factor1

Top contributor holds 100% of commits — single point of failure

How is this calculated?**Maintenance (25%)** — Last commit recency, latest release date, and issue-to-star ratio. Uses a 2-year decay window.

**Popularity (30%)** — Total and monthly downloads, GitHub stars, and forks. Logarithmic scaling prevents top-heavy scores.

**Community (15%)** — Contributors, dependents, forks, watchers, and maintainers. Measures real ecosystem engagement.

**Maturity (30%)** — Project age, version count, PHP version support, and release stability.

###  Release Activity

Cadence

Every ~0 days

Total

2

Last Release

557d ago

### Community

Maintainers

![](https://www.gravatar.com/avatar/cdd388326960f2c2d618917002bdfc4346903c036669c62c8371e46792430408?d=identicon)[inventor96](/maintainers/inventor96)

---

Top Contributors

[![inventor96](https://avatars.githubusercontent.com/u/7132744?v=4)](https://github.com/inventor96 "inventor96 (8 commits)")

---

Tags

csrfmakomakocsrf

### Embed Badge

![Health badge](/badges/inventor96-mako-csrf/health.svg)

```
[![Health](https://phpackages.com/badges/inventor96-mako-csrf/health.svg)](https://phpackages.com/packages/inventor96-mako-csrf)
```

###  Alternatives

[aura/session

Provides session management functionality, including lazy session starting, session segments, next-request-only ("flash") values, and CSRF tools.

2041.2M67](/packages/aura-session)[paragonie/anti-csrf

Paragon Initiative's Anti-CSRF Security Library

307200.6k5](/packages/paragonie-anti-csrf)[owasp/csrf-protector-php

CSRF protector php, a standalone php library for csrf mitigation in web applications. Easy to integrate in any php web app.

222348.3k4](/packages/owasp-csrf-protector-php)[kunststube/csrfp

A signed token generator for cross site request forgery protection.

52209.5k1](/packages/kunststube-csrfp)[riimu/kit-csrf

Secure and simple CSRF library protected against timing and BREACH attacks

6526.1k](/packages/riimu-kit-csrf)[ayesh/stateless-csrf

Secret-key based state-less CSRF token generator and validator for PHP 8. State-less means you do not have to store the CSRF token in session or database.

3223.3k](/packages/ayesh-stateless-csrf)

PHPackages © 2026

[Directory](/)[Categories](/categories)[Trending](/trending)[Changelog](/changelog)[Analyze](/analyze)