componenta/http-csrf-middleware

CSRF token managers and PSR-15 middleware for Componenta

Maintainers

Package info

github.com/componenta/http-csrf-middleware

pkg:composer/componenta/http-csrf-middleware

Statistics

Installs: 0

Dependents: 0

Suggesters: 0

Stars: 0

Open Issues: 0

Security

Advisories: 0

Aikido package health analysis

v1.0.0 2026-06-15 10:59 UTC

Requires

MIT 7a9728bbf9ea173441daee493462ac940a3e885f

This package is auto-updated.

Last update: 2026-06-15 12:06:42 UTC

README

CSRF token managers and PSR-15 middleware for Componenta HTTP applications. The middleware checks unsafe methods with token validation and optional Origin/Referer verification.

Installation

composer require componenta/http-csrf-middleware

This package has no config provider. Configure the token manager and middleware explicitly.

Token Managers

Class Storage
SessionCsrfTokenManager PHP $_SESSION; starts the session when needed and stores the token under _csrf_token by default.
CookieCsrfTokenManager Cookie value written through setcookie().
HmacCsrfTokenManager Stateless HMAC token with a secret and optional active token source.

All managers implement CsrfTokenManagerInterface.

Middleware

use Componenta\Http\Middleware\Csrf\CsrfMiddleware;
use Componenta\Http\Middleware\Csrf\SessionCsrfTokenManager;

$middleware = new CsrfMiddleware(
    tokenManager: new SessionCsrfTokenManager(),
    responseFactory: $responseFactory,
    excludedPaths: ['/webhook'],
);

Safe methods (GET, HEAD, OPTIONS, TRACE) are not validated. Unsafe methods read the token from the X-CSRF-Token header first and then from the parsed body field _csrf_token.

The active token and manager are added to request attributes csrf_token and csrf_token_manager.

InvalidCsrfTokenException is converted by the middleware into a generic 403 response.