PHPackages                             solventt/csrf-protection - PHPackages - PHPackages  [Skip to content](#main-content)[PHPackages](/)[Directory](/)[Categories](/categories)[Trending](/trending)[Leaderboard](/leaderboard)[Changelog](/changelog)[Analyze](/analyze)[Collections](/collections)[Log in](/login)[Sign up](/register)

1. [Directory](/)
2. /
3. [Security](/categories/security)
4. /
5. solventt/csrf-protection

ActiveLibrary[Security](/categories/security)

solventt/csrf-protection
========================

PSR-15 compatible middleware implementing cross-site request forgery protection

1.0(4y ago)07[4 PRs](https://github.com/solventt/csrf-protection/pulls)BSD-3-ClausePHPPHP ^7.4 || ^8.0CI passing

Since Nov 25Pushed 2mo ago1 watchersCompare

[ Source](https://github.com/solventt/csrf-protection)[ Packagist](https://packagist.org/packages/solventt/csrf-protection)[ RSS](/packages/solventt-csrf-protection/feed)WikiDiscussions 8.0 Synced 1mo ago

READMEChangelogDependencies (6)Versions (8)Used By (0)

### Table of Contents

[](#table-of-contents)

1. [Features](#features)
2. [Installing](#installing)
3. [Usage](#usage)
4. [A real use case](#a-real-use-case)
5. [A custom token name](#a-custom-token-name)
6. [A custom failure handler](#a-custom-failure-handler)
7. [A custom token storage](#a-custom-token-storage)
8. [A custom token generation algorithm](#a-custom-token-generation-algorithm)
9. [A custom CSRF token class](#a-custom-csrf-token-class)
10. [The CSRF token in custom request headers](#the-csrf-token-in-custom-request-headers)

This is a PSR-15 compatible middleware that implements protection against cross-site request forgery.

In this package, the CSRF protection is organized according to the `Synchronizer Token` pattern described on the [OWASP](https://cheatsheetseries.owasp.org/cheatsheets/Cross-Site_Request_Forgery_Prevention_Cheat_Sheet.html#synchronizer-token-pattern) website.

### Features

[](#features)

This package uses token masking (randomizing by XORing with a random secret). This method is recommended for protection against [BREACH](http://www.breachattack.com/) attacks.

The CSRF token is generated and saved once per session (this can be changed). **But thanks to the mask, the token will be unique each time it is requested**.

Masking the token eliminates the problem of false CSRF triggering on the server when you click the "Back" button in the browser.

### Installing

[](#installing)

```
// php 7.4+
composer require solventt/csrf-protection ^0.1

// php 8.0+
composer require solventt/csrf-protection ^1.0

```

### Usage

[](#usage)

```
$csrfToken = new MaskedCsrfToken(new SessionTokenStorage(), new SecurityHelper());

$middleware = new CsrfMiddleware($csrfToken, new ResponseFactory());

// then add the middleware to the middlewares stack
```

To get a name and valid value of the token do:

```
// data for a hidden HTML form field

$name = $csrfToken->getName();

$value = $csrfToken->getValue();
```

Somewhere in HTML:

```