To prevent CSRF attacks in PHP applications, you need to use anti-CSRF tokens, verify HTTP methods, set SameSite cookie attributes, and consider using a framework that automatically handles CSRF. 1. Use anti-CSRF token: the server generates a unique token and associates it with the user session, adds a hidden field to the form to submit the token, and verify whether the token matches when submitting; 2. Verify HTTP method: Ensure that sensitive operations are only performed through secure methods such as POST, and rejects unanticipated GET requests; 3. Set SameSite Cookie attribute: Configure SameSite=Strict or Lax through session_set_cookie_params to prevent cross-site requests from carrying cookies; 4. Use frameworks: such as Laravel, Symfony and other built-in CSRF protection mechanisms, automatically handle token generation and verification, improve security and reduce manual omissions.

Preventing Cross-Site Request Forgery (CSRF) in PHP applications is essential for securing user data and ensuring that actions taken in your app are intentional. The core idea is to verify that requests coming into your system were intentionally made by the authenticated user — not by a third party trying to exploit them.

Here's how you can effectively protect your PHP application from CSRF attacks.

Use Anti-CSRF Tokens

The most reliable method to prevent CSRF is by using anti-CSRF tokens (also known as synchronizer tokens). These are unique, unpredictable values generated by the server and associated with a user's session.

• When generating a form, include a hidden input field containing this token.
• On form submission, check if the submitted token matches the one stored in the session.
• If they don't match, reject the request.

For example:

 // Generate token (if not already set)
if (empty($_SESSION['csrf_token'])) {
    $_SESSION['csrf_token'] = bin2hex(random_bytes(50));
}

// In your form:
echo &#39;<input type="hidden" name="csrf_token" value="&#39; . $_SESSION[&#39;csrf_token&#39;] . &#39;">&#39;;

// On submission:
if (!hash_equals($_SESSION[&#39;csrf_token&#39;], $_POST[&#39;csrf_token&#39;])) {
    die(&#39;Invalid CSRF token&#39;);
}

This ensures that only forms generated by your application can be used to submit data.

Validate HTTP Methods Properly

Make sure that any state-changing operation (like POST, PUT, DELETE) isn't allowed via GET requests. Browsers automatically follow links or load images using GET, which makes them vulnerable to CSRF if sensitive actions are triggered through them.

For instance:

• Don't allow account deletion via GET /delete-account .
• Always use POST (or other appropriate methods) for such operations.
• Double-check the request method at the beginning of your scripts.

You can do something like:

 if ($_SERVER['REQUEST_METHOD'] !== 'POST') {
    http_response_code(405); // Method Not Allowed
    exit('Only POST requests are allowed.');
}

This helps avoid accidental or malicious triggering of destructive actions.

Set SameSite Cookie Attribute

Modern browsers support the SameSite attribute for cookies, which restricts how cookies are sent with cross-site requests. You can set it when starting a session:

 session_set_cookie_params([
    'lifetime' => 0,
    'path' => '/',
    'domain' => '', // adjust based on your domain
    'secure' => true, // only send over HTTPS
    'httponly' => true,
    'samesite' => 'Strict' // or 'Lax' depending on your needs
]);
session_start();

Using SameSite=Strict means cookies won't be sent along with cross-site requests, greatly reducing the risk of CSRF.

Note: Be careful with browser compatibility if you need to support older clients.

Consider Using Frameworks That Handle CSRF Automatically

If you're building a larger PHP application, consider using a framework like Laravel, Symfony, or CodeIgniter. These frameworks have built-in CSRF protection mechanisms that handle token generation, validation, and more.

For example, Laravel automatically generates and validates CSRF tokens for all POST requests, and you just need to include @csrf in your Blade templates.

While rolling your own CSRF protection works fine for small apps, frameworks take care of edge cases and keep security practices up to date.

So there you go — use tokens, validate request methods, leverage cookie attributes, and consider using a solid framework. It's not rocket science, but it's easy to overlook a detail and leave your app exposed.

The above is the detailed content of How do you prevent Cross-Site Request Forgery (CSRF) in php applications?. For more information, please follow other related articles on the PHP Chinese website!