Backend PR-2: CSRF Token Endpoint & Security Hardening #210
Description
📦 Sub-Issue of Epic #208
Part of: SecPal/frontend#208 (httpOnly Cookie Authentication Migration)
Priority: High
Area: Backend, Security, CSRF
Repository: api
Goal
Implement CSRF token endpoint and apply security hardening for httpOnly cookie authentication including session configuration and security headers.
Acceptance Criteria
- CSRF token endpoint accessible at
/sanctum/csrf-cookie -
VerifyCsrfTokenmiddleware configured correctly - Session configuration uses
cookiedriver - Session cookies configured as
httpOnly,secure(production),sameSite: lax - Security headers added (X-Frame-Options, X-Content-Type-Options)
- Tests verify CSRF protection works
- Tests verify CSRF token refresh flow
- PHPStan passes
- Pint passes
- All existing tests pass
Implementation Details
Files to modify:
config/session.phpapp/Http/Middleware/VerifyCsrfToken.php.env.example
Session Configuration:
// config/session.php
'driver' => env('SESSION_DRIVER', 'cookie'),
'lifetime' => 120,
'expire_on_close' => false,
'http_only' => true,
'secure' => env('SESSION_SECURE_COOKIE', false),
'same_site' => 'lax',CSRF Exemptions (if needed):
// app/Http/Middleware/VerifyCsrfToken.php
protected $except = [
// No exemptions for SPA mode
];Dependencies
- Depends on: Backend PR-1 (needs Sanctum configured)
- Blocks: Frontend PR-2 (Frontend needs CSRF endpoint)
Testing
# Test CSRF token endpoint
curl -X GET http://api.secpal.test/sanctum/csrf-cookie -i
# Test CSRF protection
ddev exec php artisan test --filter=Csrf
ddev exec vendor/bin/phpstan analyze
ddev exec vendor/bin/pint --test --dirty