madeorsk / nocsrf
CSRF Protection Library.
Installs: 2 684
Dependents: 1
Suggesters: 0
Security: 0
Stars: 0
Watchers: 1
Forks: 1
Open Issues: 0
Requires
- php: >= 7.0
- madeorsk/session: ^1.0
Requires (Dev)
- phpunit/phpunit: ^9
This package is auto-updated.
Last update: 2024-04-21 20:15:32 UTC
README
Easy as fuck CSRF protection library for PHP based on OWASP recommandations.
Installation
Using composer:
composer require madeorsk/nocsrf
Getting started
Easy example code:
use NoCSRF\NoCSRF; // Creating a new NoCSRF instance, which manages anti-CSRF tokens. $nocsrf = new NoCSRF(); // Get an anti-CSRF token (to add in a hidden input field or a request header). $token = $nocsrf->getToken(); // Verify anti-CSRF token. if ($nocsrf->verify($token)) echo "Anti-CSRF token is VALID!"; else echo "Anti-CSRF token is INVALID.";
Custom modules
NoCSRF is made of three main components:
- The
KeyGenerator: generate a key, in the default implementation it is an OpenSSL random key generator. - The
KeyStorage: store the key used in token generation / verification. The key storage need to keep the key in such a way that it is available for a specific session, but cannot be retrievable by the client. - The
TokenManager: contain token generation / verification logic. The key is provided.
You can create custom classes for these three components. You can chose which module to use in the NoCSRF initialization:
$nocsrf = new NoCSRF([ "keyGenerator" => new OpensslKeyGenerator(16), "keyStorage" => new SessionKeyStorage(), "tokenManager" => new HMACTokenManager(), ]);
The components used in this example are the default values.
Full API documentation
Full API documentation is available in GitHub wiki (WIP) or in code documentation.