Leaf CSRF security patch for leaf anchor

v0.4.1 2023-10-07 21:12 UTC

This package is auto-updated.

Last update: 2024-05-08 12:55:32 UTC



Leaf Anchor CSRF [BETA]

Leaf PHP

Latest Stable Version Total Downloads License

This is an experimental module. Please open an issue if you notice any bugs or malfunctions.

This package is leaf's implementation of CSRF default protection with leaf anchor. It comes separated from leaf anchor because it is not needed in every project you may build.


You can easily install Leaf CSRF using Composer.

composer require leafs/csrf

Basic Usage

After installing leaf CSRF, leaf automatically loads the CSRF package for you, so you don't need to do anything unless you want to configure the CSRF module to match your application requirements.

Using CSRF outside of leaf

Most leaf modules can be used outside of leaf. This module is one of these global modules. If you decide to use the CSRF module outside of leaf, you will need to manually initialize the package.


This function generates a token with a secret and a random hash and saves that in a session. If no session exists, the CSRF module will create a session for your app and save the token in that session,


Just like every other leaf module, this module also allows you to customize it to behave in any way you want it to behave. Also, since this module is built on the Anchor module, the config object is shared with Anchor. To set any configuration, simply call the config method.

Available config:

  • SECRET_KEY - This is the key with which the token is saved and used in your leaf app. If this is not specified, leaf uses the name _token as done in other frameworks like Laravel.

  • SECRET - This is the secret key used to encrypt the token. Leaf also has a default secret key set for you. Note that the secret key is attached to a set of unique numbers that not even leaf knows.

  • EXCEPT - This is an array of routes that you want to exclude from the CSRF protection.

  • METHODS - This is an array of HTTP methods to apply CSRF protection to. By default, leaf uses ["POST", "PUT", "PATCH", "DELETE"]

use Leaf\Anchor\CSRF;

  "METHODS" => ["GET"],
  "EXCEPT" => ["/"],

Built with ❤ by Mychi Darko