CSRF (Cross Site Request Forgery)

Cross-site Request Forgery (CSRF) is a type of confused deputy attack which leverages the authentication and authorization of the victim when a forged request is being sent to the web server. Therefore, a CSRF vulnerability affecting highly privileged users, such as administrators, could result in a full application compromise.

Quantum provides a protection with its CSRF library, which protects the application from the requests of unknown sources via token.

By default Quantum checks all POST, PUT and DELETE requests against the token, which forces you to send generated token with the requests.

The Quantum's csrf_token() helper function generates the token, which you can use in your views to send it back to server under name "token".

<form action="/update" method="post">
    <input type="text" name="firstname" />
    <input type="text" name="lastname" />
    <input type="hidden" name="token" value="<?php echo csrf_token() ?>" />
    <input type="submit" />


Or it can be sent with request header under key "X-CSRF-TOKEN" via JavaScript, by previously keeping it in <meta> tag of page header.

<meta name="csrf-token" content="<? csrf_token() ?>" />


Then get the token with JavaScript and send it to server with AJAX request header

var xhttp = new XMLHttpRequest();
xhttp.open("POST", "/update", true);
xhttp.setRequestHeader("X-CSRF-TOKEN", document.head.querySelector("[name=csrf-token]").content);


If you want to disable CSRF token check, add the following code into your controller's __before() method

public function __before() {
    parent::$csrfVerification = false;

<< Prev Next >>