PHPackages marein/symfony-standard-headers-csrf-bundle - PHPackages - PHPackages [Skip to content](#main-content)[PHPackages](/)[Directory](/)[Categories](/categories)[Trending](/trending)[Leaderboard](/leaderboard)[Changelog](/changelog)[Analyze](/analyze)[Collections](/collections)[Log in](/login)[Sign up](/register) 1. [Directory](/) 2. / 3. [Security](/categories/security) 4. / 5. marein/symfony-standard-headers-csrf-bundle ActiveSymfony-bundle[Security](/categories/security) marein/symfony-standard-headers-csrf-bundle =========================================== Protect symfony applications against CSRF attacks with the help of standard headers. 1.0.3(2y ago)28.2k—6.3%[2 issues](https://github.com/marein/symfony-standard-headers-csrf-bundle/issues)[1 PRs](https://github.com/marein/symfony-standard-headers-csrf-bundle/pulls)MITPHPPHP ^7.4 || ^8.0CI passing Since Sep 24Pushed 5mo ago1 watchersCompare [ Source](https://github.com/marein/symfony-standard-headers-csrf-bundle)[ Packagist](https://packagist.org/packages/marein/symfony-standard-headers-csrf-bundle)[ RSS](/packages/marein-symfony-standard-headers-csrf-bundle/feed)WikiDiscussions master Synced 1mo ago READMEChangelog (4)Dependencies (9)Versions (6)Used By (0) symfony-standard-headers-csrf-bundle ==================================== [](#symfony-standard-headers-csrf-bundle) [![CI](https://github.com/marein/symfony-standard-headers-csrf-bundle/workflows/CI/badge.svg?branch=master)](https://github.com/marein/symfony-standard-headers-csrf-bundle/workflows/CI/badge.svg?branch=master) **Table of contents** - [Overview](#overview) - [How it works?](#how-it-works) - [Installation and requirements](#installation-and-requirements) - [Configuration](#configuration) - [Public api](#public-api) Overview -------- [](#overview) Protect symfony applications against CSRF attacks with the help of standard headers. The mechanism to prevent CSRF attacks which is used by this bundle can best be read under [OWASP](https://cheatsheetseries.owasp.org/cheatsheets/Cross-Site_Request_Forgery_Prevention_Cheat_Sheet.html#verifying-origin-with-standard-headers). The technique is named "Verifying Origin With Standard Headers". ### How it works? [](#how-it-works) This bundle is based on the headers `Host`, `Origin` and `Referer`. They're part of the [forbidden headers](https://developer.mozilla.org/en-US/docs/Glossary/Forbidden_header_name)and cannot be changed programmatically with a standard browser. Please read the [OWASP](https://cheatsheetseries.owasp.org/cheatsheets/Cross-Site_Request_Forgery_Prevention_Cheat_Sheet.html#verifying-origin-with-standard-headers)page carefully as this technique may not work in all cases. This bundle returns a status code `403` if the request isn't safe. A request is safe if at least one of the following criteria is met: - the http method is a safe http method. - the request path matches one of the `allowed_paths` from the configuration. - the origin header matches the `Host` header or one of the `allowed_origins` from the configuration. - `fallback_to_referer` is enabled and the `Referer` header matches the `Host`header or one of the `allowed_origins` from the configuration. - `allow_null_origin` is enabled and the `Origin` header is equal to `"null"`. If there're trusted proxies configured in your symfony application, `X-Forwarded-Host` is used instead of `Host`. Installation and requirements ----------------------------- [](#installation-and-requirements) Add the bundle to your project. ``` composer require marein/symfony-standard-headers-csrf-bundle ``` Add the bundle in the kernel. This can be different for your setup. ``` public function registerBundles() { return [ // ... new \Marein\StandardHeadersCsrfBundle\MareinStandardHeadersCsrfBundle(), // ... ]; } ``` Configuration ------------- [](#configuration) This is an example of all configurations in yaml format. ``` marein_standard_headers_csrf: # List of regular expressions that are used to check for allowed request paths. # Each entry is automatically surrounded by the delimiter #. # # Type: string[] # Default: [] allowed_paths: - '^/api' # List of regular expressions that are used to check for allowed origins. # Each entry is automatically surrounded by the delimiter #. # # Type: string[] # Default: [] allowed_origins: - '^https?://my-domain\.com$' - '^https?://.*\.my-other-domain-including-subdomains\.com$' # Switch to enable the comparison of the host header and allowed_origins with the referer header. # # Type: bool # Default: true fallback_to_referer: true # Switch to allow "null" as a valid origin header value. # # Type: bool # Default: false allow_null_origin: false ``` Public api ---------- [](#public-api) Only the bundle configuration is part of the public api. Everything else can change and is not considered a breaking change. Please don't use classes or services directly. ### Health Score 35 — LowBetter than 80% of packages Maintenance29 Infrequent updates — may be unmaintained Popularity26 Limited adoption so far Community7 Small or concentrated contributor base Maturity63 Established project with proven stability Bus Factor1 Top contributor holds 100% of commits — single point of failure How is this calculated?**Maintenance (25%)** — Last commit recency, latest release date, and issue-to-star ratio. Uses a 2-year decay window. **Popularity (30%)** — Total and monthly downloads, GitHub stars, and forks. Logarithmic scaling prevents top-heavy scores. **Community (15%)** — Contributors, dependents, forks, watchers, and maintainers. Measures real ecosystem engagement. **Maturity (30%)** — Project age, version count, PHP version support, and release stability. ### Release Activity Cadence Every ~392 days Total 4 Last Release 884d ago PHP version history (2 changes)1.0.0PHP ^7.4 1.0.1PHP ^7.4 || ^8.0 ### Community Maintainers ![](https://www.gravatar.com/avatar/7b17ed4df3d5bb432a50f2b19fd8a550aac0689846d29c516966e4e4e90f74c5?d=identicon)[marein](/maintainers/marein) --- Top Contributors [![marein](https://avatars.githubusercontent.com/u/1128786?v=4)](https://github.com/marein "marein (21 commits)") ### Code Quality TestsPHPUnit Static AnalysisPHPStan Code StylePHP\_CodeSniffer Type Coverage Yes ### Embed Badge ![Health badge](/badges/marein-symfony-standard-headers-csrf-bundle/health.svg) ``` [![Health](https://phpackages.com/badges/marein-symfony-standard-headers-csrf-bundle/health.svg)](https://phpackages.com/packages/marein-symfony-standard-headers-csrf-bundle) ``` ### Alternatives [symfony/security-bundle Provides a tight integration of the Security component into the Symfony full-stack framework 2.5k172.9M1.8k](/packages/symfony-security-bundle)[scheb/2fa Two-factor authentication for Symfony applications (please use scheb/2fa-bundle to install) 578630.7k1](/packages/scheb-2fa)[shopware/storefront Storefront for Shopware 684.2M148](/packages/shopware-storefront)[shopware/core Shopware platform is the core for all Shopware ecommerce products. 595.2M386](/packages/shopware-core)[tilleuls/url-signer-bundle Create and validate signed URLs with a limited lifetime in Symfony 81340.1k](/packages/tilleuls-url-signer-bundle)[sensiolabs/gotenberg-bundle A Symfony bundle that provides seamless integration with Gotenberg for generating PDFs and screenshots from various sources (HTML, Markdown, Office documents, URLs) with a clean, builder-based API. 210210.4k2](/packages/sensiolabs-gotenberg-bundle) PHPackages © 2026 [Directory](/)[Categories](/categories)[Trending](/trending)[Changelog](/changelog)[Analyze](/analyze)