In this tutorial, we will learn how to implement CSRF (Cross-Site Request Forgery) protection in Lithe to prevent unwanted requests from being made to your application. This guide is designed for beginners, so we'll go step by step!
CSRF, or Cross-Site Request Forgery, is a type of attack where a user is tricked into executing an unauthorized action on a website where they are authenticated. This attack is dangerous because the attacker can manipulate data or access restricted areas. To prevent this, we add a security layer that stops suspicious requests from being processed.
Let’s get started!
If you haven't set up Lithe yet, start by installing the framework with the command below:
composer create-project lithephp/lithephp project-name cd project-name
This creates a basic structure for your project with Lithe.
The CSRF middleware helps generate and validate CSRF tokens. To install it, run the following command in the terminal within your project:
composer require lithemod/csrf
Now, we need to tell Lithe that we want to use the CSRF middleware. Open the main file src/App.php and add the CSRF middleware.
use Lithe\Middleware\Security\csrf;
use function Lithe\Orbis\Http\Router\router;
$app = new \Lithe\App;
// Configure the CSRF middleware with automatic checking in the request body
$app->use(csrf([
'expire' => 600, // Token expiration after 10 minutes
'checkBody' => true, // Enables automatic checking in the body
'bodyMethods' => ['POST', 'PUT', 'DELETE'], // Defines the methods for checking CSRF in the body
]));
$app->use(router(__DIR__ . '/routes/web'));
$app->listen();
With this, the CSRF middleware is active in our application, and every request that requires protection must include a valid token.
To use CSRF protection, we need to generate a unique token and include it in the requests. We’ll create a route to send a form that automatically includes the CSRF token.
use Lithe\Http\{Request, Response};
use function Lithe\Orbis\Http\Router\get;
get('/form', function (Request $req, Response $res) {
// Generate the CSRF token field
$tokenField = $req->csrf->getTokenField();
// Send the HTML with the token included in the form
return $res->send("
<form method='POST' action='/submit'>
$tokenField
<input type='text' name='data' placeholder='Type something' required>
<button type='submit'>Submit</button>
</form>
");
});
When the form is submitted, Lithe will automatically check if the token is valid. Now, let’s create the route that will receive and process the form.
composer create-project lithephp/lithephp project-name cd project-name
If the token is invalid or missing, Lithe will automatically block the request and return an error.
On the frontend, whenever you need to send a POST request (or another data-altering method), it's important to include the CSRF token in the body of the request or in the header, depending on how you configured your middleware.
For those using JavaScript, here’s an example of how to send the token with a fetch request:
composer require lithemod/csrf
In this tutorial, we learned:
With this protection implemented, you make your application more secure against CSRF attacks, helping to protect the integrity of your users' data.
For more detailed information, check out the official Lithe Documentation.
The above is the detailed content of Protecting Your Application with CSRF in Lithe. For more information, please follow other related articles on the PHP Chinese website!
![[Web front-end] Node.js quick start](https://img.php.cn/upload/course/000/000/067/662b5d34ba7c0227.png)
