Fix for issue #149: CSRF protection URI whitelisting #236

merged 5 commits into from Aug 25, 2011


None yet
7 participants

alexbilbie commented Aug 21, 2011

Fix for issue #149

When developing applications that may have a web front end and an API front end (for example using Phil's REST server library) if you have CSRF protection enabled then POST API requests will fail because a non existent CSRF token can't be verified when the request is received.

The changes here add a new config parameter 'csrf_exclude_uris' which allows for URIs to be whitelisted from CSRF protection.

$config['csrf_exclude_uris'] = array('api/person/add');

I've also updated the Security library documentation.


alexbilbie commented Aug 21, 2011

Gah, Github picked up on some other irrelevant commits. The last two in the list above are the relevant commits.


ericbarnes commented Aug 21, 2011

@alexbilbie Excellent work.

You have any thoughts if it would be better to white list based on external urls instead of your own uris?


alexbilbie commented Aug 21, 2011

No no, that would be far too complicated, wouldn't scale etc. Better to have one or two endpoints that explicitly don't check for a CSRF cookie and yet still have the rest of your application secure

@alexbilbie alexbilbie closed this Aug 21, 2011

@alexbilbie alexbilbie reopened this Aug 21, 2011


ericbarnes commented Aug 24, 2011

@alexbilbie Can you also add a note in the changelog about this?

@ericbarnes ericbarnes merged commit 6a93995 into bcit-ci:develop Aug 25, 2011

Great! I needed it some months ago. Thanks.

Awesome fix! I have a little lump of code that allows generalized uris to be white listed. For example, if you specify only the controller, all methods will be whitelisted too. Is that something EllisLabs would appreciate within this feature too? Great fix alexbilbie!

is this available in the latest stable version? 2.1.0 ?

still not available in 2.1.1 :-(


alexbilbie commented Jun 23, 2012

For some reason this wasn't merged into 2.1 or 2.1.1 releases. It will definitely be in 3.0.

Dentxinho pushed a commit to Dentxinho/CodeIgniter that referenced this pull request Sep 28, 2012

Merge pull request #236 from Militis/hotfix/indent_fix
Fix indentation from newest merges.

Still nothing on 2.1.3... It would be great feature.

@fozzmeistergeneral fozzmeistergeneral referenced this pull request Jun 28, 2013


csrf issue #2506

sviande pushed a commit to sviande/CodeIgniter that referenced this pull request Jan 3, 2014

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment