PHPackages riimu/kit-csrf - PHPackages - PHPackages [Skip to content](#main-content)[PHPackages](/)[Directory](/)[Categories](/categories)[Trending](/trending)[Leaderboard](/leaderboard)[Changelog](/changelog)[Analyze](/analyze)[Collections](/collections)[Log in](/login)[Sign up](/register) 1. [Directory](/) 2. / 3. [Security](/categories/security) 4. / 5. riimu/kit-csrf ActiveLibrary[Security](/categories/security) riimu/kit-csrf ============== Secure and simple CSRF library protected against timing and BREACH attacks v2.4.0(10y ago)6526.1k↓26.7%4[2 PRs](https://github.com/Riimu/Kit-CSRF/pulls)MITPHPPHP >=5.4.0 Since May 3Pushed 7y ago6 watchersCompare [ Source](https://github.com/Riimu/Kit-CSRF)[ Packagist](https://packagist.org/packages/riimu/kit-csrf)[ Docs](http://kit.riimu.net)[ RSS](/packages/riimu-kit-csrf/feed)WikiDiscussions master Synced 1mo ago READMEChangelog (5)Dependencies (1)Versions (10)Used By (0) Secure CSRF validator ===================== [](#secure-csrf-validator) *CSRF* is a PHP library for preventing \[Cross-Site Request Forgery\] ([https://www.owasp.org/index.php/Cross-Site\_Request\_Forgery\_%28CSRF%29](https://www.owasp.org/index.php/Cross-Site_Request_Forgery_%28CSRF%29)) attacks. A CSRF attack takes advantage of authenticated users by sending them to a malicious website that sends carefully crafted requests to the targeted website in order to modify content on that website. The attack uses the authenticated user's browser to send the request to bypass any authentication. This library prevents these attacks by requiring a CSRF token in each POST, PUT and DELETE request. These tokens are not known by the attacker, which prevents them from sending malicious requests. This library supports storing the CSRF tokens using either cookies or sessions. The token can also be submitted using either a hidden form field in POST requests or using a HTTP header, which makes it easier to pass the token in ajax requests. In order to provide additional security against different forms of attacks against the CSRF tokens, this library uses constant time string comparisons to prevent timing attacks and generates random encrypted tokens in each request to prevent BREACH attacks. On top of that, all tokens are generated using a secure random byte generator. The API documentation, which can be generated using Apigen, can be read online at: [![Build Status](https://camo.githubusercontent.com/6a1e9f63429684bf870df1029ae2ef2774e96c7be9c04ef8a7b36e39583bb8fb/68747470733a2f2f696d672e736869656c64732e696f2f7472617669732f5269696d752f4b69742d435352462e7376673f7374796c653d666c6174)](https://travis-ci.org/Riimu/Kit-CSRF)[![Code Coverage](https://camo.githubusercontent.com/e4ed7ffdfd21f106f33726b0e0a8a1c684422220bd329e305fbbb77c99b2320b/68747470733a2f2f696d672e736869656c64732e696f2f7363727574696e697a65722f636f7665726167652f672f5269696d752f4b69742d435352462e7376673f7374796c653d666c6174)](https://scrutinizer-ci.com/g/Riimu/Kit-CSRF/)[![Scrutinizer Code Quality](https://camo.githubusercontent.com/af37133d660f9979798d2d603106e0557540179d98ed7d479ccc214d78e08f77/68747470733a2f2f696d672e736869656c64732e696f2f7363727574696e697a65722f672f5269696d752f4b69742d435352462e7376673f7374796c653d666c6174)](https://scrutinizer-ci.com/g/Riimu/Kit-CSRF/) Requirements ------------ [](#requirements) In order to use this library, the following requirements must be met: - PHP version 5.4 - [Kit-SecureRandom](https://github.com/Riimu/Kit-SecureRandom) library is required Installation ------------ [](#installation) This library can be installed by using [Composer](http://getcomposer.org/). In order to do this, you must download the latest Composer version and run the `require` command to add this library as a dependency to your project. The easiest way to complete these two tasks is to run the following two commands in your terminal: ``` php -r "readfile('https://getcomposer.org/installer');" | php php composer.phar require "riimu/kit-csrf:2.*" ``` If you already have Composer installed on your system and you know how to use it, you can also install this library by adding it as a dependency to your `composer.json` file and running the `composer install` command. Here is an example of what your `composer.json` file could look like: ``` { "require": { "riimu/kit-csrf": "2.*" } } ``` After installing this library via Composer, you can load the library by including the `vendor/autoload.php` file that was generated by Composer during the installation. ### Manual installation [](#manual-installation) You can also install this library manually without using Composer. In order to do this, you must download the [latest release](https://github.com/Riimu/Kit-CSRF/releases/latest)and extract the `src` folder from the archive to your project folder. To load the library, you can simply include the `src/autoload.php` file that was provided in the archive. Note that if you install this library manually, you must also install the dependencies by yourself. Installing the library via Composer also installs the dependencies for you. Usage ----- [](#usage) The idea of this library is to make security as convenient as possible. You only really need two methods provided by the `CSRFHandler` class. The method `validateRequest()` should be called at the very beginning of each request. This method will only validate POST, PUT and DELETE requests so you can safely call it on every request. The method `getToken()` can be used to retrieve the token that should be included in each submitted form using a hidden field named `csrf_token`. If the submitted token does not match against the secret token stored in the cookie or session, the `validateRequest()` method will send a HTTP 400 (bad request) header and kill the script execution. This should not affect the normal usage of your website, but it will prevent any CSRF attack attempts against your website. As an example, here is a simple web page that has one form that can be submitted: ``` Simple Form