Yii2.0 defense against csrf attack method

In yii2, whether you use the testing tool POSTMAN, the command line CURL request, or the ajax request, you will always get the http400: Bad Request error; and if you use the Web page to access GET (removing the POST restriction of verbFilter), it is normal.

After checking the information, I found that this is the reason for CRSF verification

Principle:

Cookie Hashing, so that all forms sent by the server to the client are marked with a random value_csrf , and at the same time save an associated token in the client's COOKIE;

During verification, the server compares an input hidden _csrf received from the request _POST() with the one in the client's COOKIE. Token is compared and verified

The principle of the attacker's attack is to use the client's COOKIE, but the attacker cannot get the specific content of the COOKIE. He just uses (leaving aside the possibility of XSS attacks here, because the user Cookies are easily stolen due to XSS vulnerabilities in the website, which is another 1%. Generally, attackers will basically give up when they see the need to calculate hash values); therefore, attackers cannot add tokens to the attack URL. , thus failing the verification.

This may be the simplest solution, because the attacker cannot obtain the third-party cookie (theoretically), so the data in the form will fail to be constructed

Solution:

1.禁用CRSF验证（不推荐）：'enableCsrfValidation' => false,

'components' => [
'request' => [
'cookieValidationKey' => '83r5HbITBiMfmiYPOZFdL-raVp4O1VV4',
'enableCookieValidation' => false,
'enableCsrfValidation' => false,
]

2. When submitting data, carry csrf information

a. When calling component ActiveForm, the submitted data will automatically bring _csrf

b. When submitting ajax, you can add it in the header Obtain the csrf information (as shown below) and submit it together with the data to be submitted

c. You can also obtain the csrf information through php

Yii::$app->request->csrfParam;(获取csrf-param)
Yii::$app->request->csrfToken;(获取csrf-token)

The above is the content of Yii2.0 defense against csrf attacks. For more related content, please pay attention to the PHP Chinese website (www.php.cn)!