Skip to content
minhaz edited this page Oct 11, 2016 · 15 revisions

What is CSRF Protector php library

OWASP CSRF Protector Project is an effort by a group of developers in securing web applications against Cross Site Request Forgery (CSRF), providing php library and an [Apache 2.x.x Module (mod_csrfprotector)](https://github.com/mebjas/mod_csrfprotector) (to be used differently) for easy mitigation.

CSRF Protector -- php library

CSRFP-php library is a standalone php library that can be used to mitigate CSRF in web application. It works as a server side interceptor, such that every request is processed by CSRFP before its actually processed by the web application logic. This facilitates, the validation of incoming request for **`CSRF token`** (Our logic is based on a [Pseudo Random Code](https://github.com/mebjas/CSRF-Protector-PHP/wiki/csrfp_token---pseudo-random-code-for-validation)). Upon successful validation request is forwarded to the web application. **Otherwise,** actions are taken as per configuration ([see configurations](https://github.com/mebjas/CSRF-Protector-PHP/wiki/Configurations))

Similarly, every output generated by the web application is filtered & modified by the library. The main task is to append a javascript code to the output generated. This is done by output buffering in php. Along with this a <noscript> information is appended for those browsers that do not support javascript.

Note: We support nojs as well, check nojs branch for this. However, its advised to use master version, if your web app requires javascript to be enabled in client browser, See why?

The javascript code attached to the html output makes sure the token is attached with every request (for which token is required by server).

Note: Currently CSRFP validates every POST request and those GET requests 
for which url patterns are allowed as per configuration

Javascript code works well with

  • Static form elements (<form>)
  • Dynamically generated forms
  • AJAX requests (XHR or XMLHttpRequest)
  • Static urls (if allowed by configuration rules)

Here is list of our resources you my need to deploy/integrate csrfp in your web application

You can’t perform that action at this time.