PHPackages                             rhubarbphp/module-csrfprotection - PHPackages - PHPackages  [Skip to content](#main-content)[PHPackages](/)[Directory](/)[Categories](/categories)[Trending](/trending)[Leaderboard](/leaderboard)[Changelog](/changelog)[Analyze](/analyze)[Collections](/collections)[Log in](/login)[Sign up](/register)

1. [Directory](/)
2. /
3. [Framework](/categories/framework)
4. /
5. rhubarbphp/module-csrfprotection

ActiveLibrary[Framework](/categories/framework)

rhubarbphp/module-csrfprotection
================================

A means to provide token based CSRF protection

1.1.3(2y ago)057.9k[3 PRs](https://github.com/RhubarbPHP/Module.CsrfProtection/pulls)1Apache-2.0PHP

Since Nov 10Pushed 2y ago4 watchersCompare

[ Source](https://github.com/RhubarbPHP/Module.CsrfProtection)[ Packagist](https://packagist.org/packages/rhubarbphp/module-csrfprotection)[ Docs](http://www.rhubarbphp.com/)[ RSS](/packages/rhubarbphp-module-csrfprotection/feed)WikiDiscussions master Synced yesterday

READMEChangelogDependencies (4)Versions (14)Used By (1)

Module.CsrfProtection
=====================

[](#modulecsrfprotection)

Provides a mechanism for CSRF protection

Usage
-----

[](#usage)

Simply require the module using composer:

```
composer require rhubarbphp/module-csrfprotection

```

There are two types of validation provided

### Header validation

[](#header-validation)

Simply call the `validateHeaders` method of the library to compare Origin and Referrer headers with the active request.

```
CsrfProtection::singleton()->validateHeaders($request);
```

$request should be the active WebRequest object. If you don't have a reference to it you can get it using

```
$request = Request::current();
```

This validation should be done for every POST request. It can also be done for GET requests, however it isn't recommended as it will fail on the first request a client makes to the site.

### Cookie validation

[](#cookie-validation)

This approach should be used in conjunction with header validation and compares a posted value against a previously generated random token stored in a cookie on the client.

When you output a form tag include the CSRF cookie token:

```
$csrfProtector = CsrfProtection::singleton();

print '';

```

When handling the post back, validate headers and the cookie:

```
if ($request->server('REQUEST_METHOD') == 'POST'){
    CsrfProtection::singleton()->validateHeaders($request);
    CsrfProtection::singleton()->validateCookie($request);
}
```

Handling failures
-----------------

[](#handling-failures)

If validation fails a CsrfViolationException is thrown which should be caught and handled appropriately.

###  Health Score

36

—

LowBetter than 79% of packages

Maintenance20

Infrequent updates — may be unmaintained

Popularity27

Limited adoption so far

Community15

Small or concentrated contributor base

Maturity70

Established project with proven stability

 Bus Factor1

Top contributor holds 68.8% of commits — single point of failure

How is this calculated?**Maintenance (25%)** — Last commit recency, latest release date, and issue-to-star ratio. Uses a 2-year decay window.

**Popularity (30%)** — Total and monthly downloads, GitHub stars, and forks. Logarithmic scaling prevents top-heavy scores.

**Community (15%)** — Contributors, dependents, forks, watchers, and maintainers. Measures real ecosystem engagement.

**Maturity (30%)** — Project age, version count, PHP version support, and release stability.

###  Release Activity

Cadence

Every ~299 days

Recently: every ~583 days

Total

9

Last Release

757d ago

### Community

Maintainers

![](https://www.gravatar.com/avatar/8905301607df4f73893d5b665c97b959572bc9394a5ff3c9f5907de6531aad6d?d=identicon)[acuthbert](/maintainers/acuthbert)

---

Top Contributors

[![acuthbert](https://avatars.githubusercontent.com/u/408400?v=4)](https://github.com/acuthbert "acuthbert (11 commits)")[![mballantinegcd](https://avatars.githubusercontent.com/u/91612807?v=4)](https://github.com/mballantinegcd "mballantinegcd (2 commits)")[![scottmcmurray](https://avatars.githubusercontent.com/u/194180?v=4)](https://github.com/scottmcmurray "scottmcmurray (2 commits)")[![miscampbell](https://avatars.githubusercontent.com/u/3660489?v=4)](https://github.com/miscampbell "miscampbell (1 commits)")

---

Tags

phpframeworktokencsrfrhubarbprotection

###  Code Quality

TestsCodeception

### Embed Badge

![Health badge](/badges/rhubarbphp-module-csrfprotection/health.svg)

```
[![Health](https://phpackages.com/badges/rhubarbphp-module-csrfprotection/health.svg)](https://phpackages.com/packages/rhubarbphp-module-csrfprotection)
```

PHPackages © 2026

[Directory](/)[Categories](/categories)[Trending](/trending)[Changelog](/changelog)[Analyze](/analyze)
