PHPackages webiik/csrf - PHPackages - PHPackages [Skip to content](#main-content)[PHPackages](/)[Directory](/)[Categories](/categories)[Trending](/trending)[Leaderboard](/leaderboard)[Changelog](/changelog)[Analyze](/analyze)[Collections](/collections)[Log in](/login)[Sign up](/register) 1. [Directory](/) 2. / 3. [Security](/categories/security) 4. / 5. webiik/csrf ActiveLibrary[Security](/categories/security) webiik/csrf =========== The Csrf provides CSRF protection. 1.0(7y ago)0661MITPHPPHP >=7.2 Since Feb 28Pushed 7y ago1 watchersCompare [ Source](https://github.com/webiik/csrf)[ Packagist](https://packagist.org/packages/webiik/csrf)[ Docs](https://www.webiik.com)[ RSS](/packages/webiik-csrf/feed)WikiDiscussions master Synced 2mo ago READMEChangelogDependencies (2)Versions (2)Used By (1) [![](https://camo.githubusercontent.com/a397347ee4fb199934fee6354504f4702b89f5c22f0ce0ba94c5ff691cde545c/68747470733a2f2f696d672e736869656c64732e696f2f7061636b61676973742f6c2f77656269696b2f77656269696b2e737667)](https://camo.githubusercontent.com/a397347ee4fb199934fee6354504f4702b89f5c22f0ce0ba94c5ff691cde545c/68747470733a2f2f696d672e736869656c64732e696f2f7061636b61676973742f6c2f77656269696b2f77656269696b2e737667)[![](https://camo.githubusercontent.com/9063c8611554aba946080355a077ff49c13af18ec286c9e8cd99c8aea668207c/68747470733a2f2f696d672e736869656c64732e696f2f62616467652f646570656e64656e636965732d322d627269676874677265656e2e737667)](https://camo.githubusercontent.com/9063c8611554aba946080355a077ff49c13af18ec286c9e8cd99c8aea668207c/68747470733a2f2f696d672e736869656c64732e696f2f62616467652f646570656e64656e636965732d322d627269676874677265656e2e737667) Csrf ==== [](#csrf) The Csrf provides CSRF protection. Installation ------------ [](#installation) ``` composer require webiik/csrf ``` Example ------- [](#example) ``` $csrf = new \Webiik\Csrf\Csrf($token, $session); $token = $csrf->create(); // Now send the $token to the next request, e.g. using $_POST... ``` In the next request validate token: ``` $csrf = new \Webiik\Csrf\Csrf($token, $session); if ($csrf->validate($_POST[$csrf->getName()])) { // CSRF token is valid } ``` Configuration ------------- [](#configuration) ### setName [](#setname) ``` setName(string $name): void ``` **setName()** sets custom CSRF token name, the default name is 'csrf-token'. It is also the session key of CSRF token. ``` $csrf->setName('my-csrf-token'); ``` ### setMax [](#setmax) ``` setMax(int $max): void ``` **setMax()** sets the maximum number of simultaneous CSRF tokens that can be stored in the session. The default number is 5. It means, for example, that user can open up to 5 CSRF protected forms at once. If this limit is exceeded, the method `create()` does not generate new CSRF token, but it returns the lastly generated token. ``` $csrf->setMax(5); ``` > Save resources and never set too big number. Generating ---------- [](#generating) ### create [](#create) ``` create(bool $safe = false): string ``` **create()** returns 16 characters long CSRF token and stores it in the session. If you want to generate safe tokens, set the **$safe** parameter to **true**. ``` $csrfToken = $csrf->create(); ``` > Safe tokens are slower to generate and require more resources. Validation ---------- [](#validation) ### validate [](#validate) ``` validate(string $token, bool $safe): bool ``` **$validate()** validates **$token** to the all CSRF tokens stored in session. If **$token** is valid, it returns true and deletes valid token from session. If you want to use the timing-attack safe validation, set the **$safe** parameter to **true**. ``` $csrf->validate($token); ``` > Timing-attack safe validation is slower and requires more resources. Resources --------- [](#resources) - [Webiik framework](https://github.com/webiik/webiik) - [Report issue](https://github.com/webiik/components/issues) ### Health Score 25 — LowBetter than 37% of packages Maintenance20 Infrequent updates — may be unmaintained Popularity8 Limited adoption so far Community9 Small or concentrated contributor base Maturity55 Maturing project, gaining track record Bus Factor1 Top contributor holds 100% of commits — single point of failure How is this calculated?**Maintenance (25%)** — Last commit recency, latest release date, and issue-to-star ratio. Uses a 2-year decay window. **Popularity (30%)** — Total and monthly downloads, GitHub stars, and forks. Logarithmic scaling prevents top-heavy scores. **Community (15%)** — Contributors, dependents, forks, watchers, and maintainers. Measures real ecosystem engagement. **Maturity (30%)** — Project age, version count, PHP version support, and release stability. ### Release Activity Cadence Unknown Total 1 Last Release 2632d ago ### Community Maintainers ![](https://www.gravatar.com/avatar/1226362d003d186b45e7dfa44489c36af37196c6a1b476206700eaf4e9c96a5a?d=identicon)[Jiri Mihal](/maintainers/Jiri%20Mihal) --- Top Contributors [![Jiri-Mihal](https://avatars.githubusercontent.com/u/10408123?v=4)](https://github.com/Jiri-Mihal "Jiri-Mihal (137 commits)") --- Tags token ### Embed Badge ![Health badge](/badges/webiik-csrf/health.svg) ``` [![Health](https://phpackages.com/badges/webiik-csrf/health.svg)](https://phpackages.com/packages/webiik-csrf) ``` ### Alternatives [roave/security-advisories Prevents installation of composer packages with known security vulnerabilities: no API, simply require it 2.9k97.3M6.4k](/packages/roave-security-advisories)[mews/purifier Laravel 5/6/7/8/9/10 HtmlPurifier Package 2.0k16.7M113](/packages/mews-purifier)[kelvinmo/fernet-php An implementation of the Fernet token specification in PHP. 211.7M3](/packages/kelvinmo-fernet-php)[kunststube/csrfp A signed token generator for cross site request forgery protection. 52209.5k1](/packages/kunststube-csrfp)[acmephp/ssl PHP wrapper around OpenSSL extension providing SSL encoding, decoding, parsing and signing features 141.2M4](/packages/acmephp-ssl) PHPackages © 2026 [Directory](/)[Categories](/categories)[Trending](/trending)[Changelog](/changelog)[Analyze](/analyze)