CSRF (Cross Site Request Forgery)
Cross-site Request Forgery (CSRF) is a type of confused deputy attack which leverages the authentication and authorization of the victim when a forged request is being sent to the web server. Therefore, a CSRF vulnerability affecting highly privileged users, such as administrators, could result in a full application compromise.
Quantum provides a protection with its CSRF library, which protects the application from the requests of unknown sources via token.
By default Quantum checks all POST
, PUT
and DELETE
requests against the token, which forces you to send generated token with the requests.
The Quantum's csrf_token()
helper function generates the token, which you can use in your views to send it back to server under name "token".
<form action="/update" method="post">
<input type="text" name="firstname" />
<input type="text" name="lastname" />
<input type="hidden" name="token" value="<?php echo csrf_token() ?>" />
<input type="submit" />
</form>
Or it can be sent with request header under key "X-CSRF-TOKEN" via JavaScript, by previously keeping it in <meta>
tag of page header.
<meta name="csrf-token" content="<? csrf_token() ?>" />
Then get the token with JavaScript and send it to server with AJAX request header
var xhttp = new XMLHttpRequest();
xhttp.open("POST", "/update", true);
xhttp.setRequestHeader("X-CSRF-TOKEN", document.head.querySelector("[name=csrf-token]").content);
xhttp.send();
If you want to disable CSRF token check, add the following code into your controller's __before()
method
public function __before() {
parent::$csrfVerification = false;
}