Skip to content


Subversion checkout URL

You can clone with
Download ZIP


Fix for issue #149: CSRF protection URI whitelisting #236

merged 5 commits into from

7 participants


Fix for issue #149

When developing applications that may have a web front end and an API front end (for example using Phil's REST server library) if you have CSRF protection enabled then POST API requests will fail because a non existent CSRF token can't be verified when the request is received.

The changes here add a new config parameter 'csrf_exclude_uris' which allows for URIs to be whitelisted from CSRF protection.

$config['csrf_exclude_uris'] = array('api/person/add');

I've also updated the Security library documentation.


Gah, Github picked up on some other irrelevant commits. The last two in the list above are the relevant commits.


@alexbilbie Excellent work.

You have any thoughts if it would be better to white list based on external urls instead of your own uris?


No no, that would be far too complicated, wouldn't scale etc. Better to have one or two endpoints that explicitly don't check for a CSRF cookie and yet still have the rest of your application secure

@alexbilbie alexbilbie closed this
@alexbilbie alexbilbie reopened this

@alexbilbie Can you also add a note in the changelog about this?

@ericbarnes ericbarnes merged commit 6a93995 into bcit-ci:develop

Great! I needed it some months ago. Thanks.


Awesome fix! I have a little lump of code that allows generalized uris to be white listed. For example, if you specify only the controller, all methods will be whitelisted too. Is that something EllisLabs would appreciate within this feature too? Great fix alexbilbie!


is this available in the latest stable version? 2.1.0 ?


still not available in 2.1.1 :-(


For some reason this wasn't merged into 2.1 or 2.1.1 releases. It will definitely be in 3.0.

@moura137 moura137 referenced this pull request from a commit
@moura137 moura137 Merge branch 'develop' of git:// into …

* 'develop' of git:// (944 commits)
  Revert default config value of db pconnect to TRUE (issue #793)
  Updated pagination library documentation with prefix and suffix
  Fix issue #1533
  Fix issues #1529 & #1530
  Change where() to skip dbprefix (until a better solution is available)
  Fix Interbase _field_data() method
  Some fixes to the SQLSRV and MSSQL drivers
  Some changes to the OCI8 (Oracle) driver
  Use the VIEWPATH constant, instead of assuming the user hasn't moved them
  Add a default _limit() method to the Query Builder class
  Minor changes to the MySQL and MySQLi drivers
  Add _where() changes from pull #1517 to the PostgreSQL driver
  If there is no output then no need to try minifying it
  Added ['reuse_query_string'] to Pagination. This allows automatic repopulation of query string arguments, combined with normal URI segments.
  Clarified support of $config['csrf_exclude_uris'] support in v3.0 (#236)
  Added optional fourth parameter to timezone_menu
  fixed query grouping when using where($array) syntax
  Replaced block tag minification regex with a less greedy solution.
  Fix issue #79
  Fix issue #1510

Still nothing on 2.1.3... It would be great feature.

@fozzmeistergeneral fozzmeistergeneral referenced this pull request

csrf issue #2506

@sviande sviande referenced this pull request from a commit in sviande/CodeIgniter
@derekjones derekjones typo in modification to MySQLi driver. Fixes #236 8a4a1b1
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Commits on Aug 20, 2011
  1. Renamed some Session library functions to make them shorter. Includes…

    Alex Bilbie authored
    … backwards compatibility.
Commits on Aug 21, 2011
  1. Revert 43194ea1af658914a89ca49aed4dca4617b9c4ff^..HEAD

    Alex Bilbie authored
  2. Added new config parameter "csrf_exclude_uris" which allows for URIs …

    Alex Bilbie authored
    …to be whitelisted from CSRF verification. Fixes #149
  3. Updated Security library documentation with details on how to whiteli…

    Alex Bilbie authored
    …st URIs from CSRF protection
Commits on Aug 24, 2011
  1. @alexbilbie

    Added note in changelog

    alexbilbie authored
This page is out of date. Refresh to see the latest.
2  application/config/config.php
@@ -292,11 +292,13 @@
| 'csrf_token_name' = The token name
| 'csrf_cookie_name' = The cookie name
| 'csrf_expire' = The number in seconds the token should expire.
+| 'csrf_exclude_uris' = Array of URIs which ignore CSRF checks
$config['csrf_protection'] = FALSE;
$config['csrf_token_name'] = 'csrf_test_name';
$config['csrf_cookie_name'] = 'csrf_cookie_name';
$config['csrf_expire'] = 7200;
+$config['csrf_exclude_uris'] = array();
12 system/core/Security.php
@@ -93,6 +93,16 @@ public function csrf_verify()
return $this->csrf_set_cookie();
+ // Check if URI has been whitelisted from CSRF checks
+ if ($exclude_uris = config_item('csrf_exclude_uris'))
+ {
+ $uri = load_class('URI', 'core');
+ if (in_array($uri->uri_string(), $exclude_uris))
+ {
+ return $this;
+ }
+ }
// Do the tokens exist in both the _POST and _COOKIE arrays?
if ( ! isset($_POST[$this->_csrf_token_name]) OR
@@ -116,7 +126,7 @@ public function csrf_verify()
- log_message('debug', "CSRF token verified ");
+ log_message('debug', "CSRF token verified");
return $this;
1  user_guide/changelog.html
@@ -75,6 +75,7 @@
<li>Visual updates to the welcome_message view file and default error templates. Thanks to <a href="">danijelb</a> for the pull request.</li>
<li class="reactor">Added <samp>insert_batch()</samp> function to the PostgreSQL database driver. Thanks to epallerols for the patch.</li>
<li class="reactor">Added "application/x-csv" to mimes.php.</li>
+ <li class="reactor">Added CSRF protection URI whitelisting.</li>
<li>Fixed a bug where <a href="libraries/email.html">Email library</a> attachments with a "." in the name would using invalid MIME-types.</li>
3  user_guide/libraries/security.html
@@ -116,6 +116,9 @@
<p>If you use the <a href="../helpers/form_helper.html">form helper</a> the <var>form_open()</var> function will automatically insert a hidden csrf field in your forms.</p>
+<p>Select URIs can be whitelisted from csrf protection (for example API endpoints expecting externally POSTed content). You can add these URIs by editing the 'csrf_exclude_uris' config parameter:</p>
+<code>$config['csrf_exclude_uris'] = array('api/person/add');</code>
<!-- END CONTENT -->
Something went wrong with that request. Please try again.