Cross Site Request Forgery

By enabling the CSRF Component you get protection against attacks. CSRF or Cross SiteRequest Forgery is a common vulnerability in web applications. It allows anattacker to capture and replay a previous request, and sometimes submit datarequests using image tags or resources on other domains.

The CsrfComponent works by setting a cookie to the user’s browser. When formsare created with the Cake\View\Helper\FormHelper, a hidden fieldis added containing the CSRF token. During the Controller.startup event, ifthe request is a POST, PUT, DELETE, PATCH request the component will compare therequest data & cookie value. If either is missing or the two values mismatch thecomponent will throw aCake\Network\Exception\InvalidCsrfTokenException.

Note

You should always verify the HTTP method being used before executing to avoidside-effects. You should check the HTTP method oruse Cake\Http\ServerRequest::allowMethod() to ensure the correctHTTP method is used.

New in version 3.1: The exception type changed fromCake\Network\Exception\ForbiddenException toCake\Network\Exception\InvalidCsrfTokenException.

Deprecated since version 3.5.0: You should use Cross Site Request Forgery (CSRF) Middleware instead ofCsrfComponent.

Using the CsrfComponent

Simply by adding the CsrfComponent to your components array,you can benefit from the CSRF protection it provides:

  1. public function initialize()
  2. {
  3.     parent::initialize();
  4.     $this->loadComponent('Csrf');
  5. }

Settings can be passed into the component through your component’s settings.The available configuration options are:

  • cookieName The name of the cookie to send. Defaults to csrfToken.
  • expiry How long the CSRF token should last. Defaults to browser session.Accepts strtotime values as of 3.1
  • secure Whether or not the cookie will be set with the Secure flag. That is,the cookie will only be set on a HTTPS connection and any attempt over normal HTTPwill fail. Defaults to false.
  • field The form field to check. Defaults to _csrfToken. Changing thiswill also require configuring FormHelper.
    When enabled, you can access the current CSRF token on the request object:
  1. $token = $this->request->getParam('_csrfToken');

Integration with FormHelper

The CsrfComponent integrates seamlessly with FormHelper. Each time youcreate a form with FormHelper, it will insert a hidden field containing the CSRFtoken.

Note

When using the CsrfComponent you should always start your forms with theFormHelper. If you do not, you will need to manually create hidden inputs ineach of your forms.

CSRF Protection and AJAX Requests

In addition to request data parameters, CSRF tokens can be submitted througha special X-CSRF-Token header. Using a header often makes it easier tointegrate a CSRF token with JavaScript heavy applications, or XML/JSON based APIendpoints.

Disabling the CSRF Component for Specific Actions

While not recommended, you may want to disable the CsrfComponent on certainrequests. You can do this using the controller’s event dispatcher, during thebeforeFilter() method:

  1. public function beforeFilter(Event $event)
  2. {
  3.     $this->getEventManager()->off($this->Csrf);
  4. }