OWASP CSRFProtector Project

What is CSRF Protector PHP library?

Its a standalone PHP library for mitigating Cross-Site Request Forgery (CSRF) vulnerabilities in web applications, which can be used with any existing web application or while developing a new one. More information available at Github wiki

Features Offered

CSRF Protection provide protection for:

• Normal HTML forms (POST/GET)
• Normal Get requests (Not enabled by default)
• Ajax Requests (XHR)
• Dynamically generated forms

Damages Mitigated: Cross-Site Request Forgery

CSRF Protector provides mitigation against Cross-Site Request Forgery a.k.a CSRF or XSRF.

How to contribute

To contribute to the code fork and send a pull to the GitHub Repository.

Current Status

Version 1.0.1 Released!

TODOs

All todos for CSRF Protector PHP are listed at todofy/mebjas/CSRF-Protector-PHP

Download Now: CSRF-Protector-PHP

What is mod_csrfprotector?

Its an Apache 2.x.x Module (Currently 2.2.x) under development. It can be installed and configured in any Apache Server to protect it against Cross-Site Request Forgery attacks. Mod_csrfprotector provides protection to both POST and GET requests (not enabled by default).

How mod_csrfprotector works?

Once installed in Apache Server, every request that is made to the server, and validated against CSRF attacks by the input filters. The input filter follows a protocol as mentioned by the developer in configuration, which helps the module to decide whether to validate the request. The input filter checks for the appropriate token sent with the request. Request if forwarded to other filters or content generators (like PHP or CGI) in validation is successful. Otherwise, appropriate actions are taken as per configuration. For ex: 403, Forbidden header is send to the client. The Output filter, checks for the content type of output generated by the content generator and if it is text/html or text/xhtml it appends javascript code to the output. This js code in client-side is responsible for attaching CSRFP_token with every required request sent from the client.

Features Offered

CSRF Protection provide protection for:

• Normal HTML forms (POST/GET)
• Normal Get requests (Not enabled by default)
• Ajax Requests (XHR)
• Dynamically generated forms

Damages Mitigated: Cross-Site Request Forgery

CSRF Protector provides mitigation against Cross-Site Request Forgery a.k.a CSRF or XSRF.

How to contribute

To contribute to the code fork and send a pull to: GitHub Repo - mod_csrfprotector

TODOs

All todos for mod_csrfprotector are listed at: todofy/mebjas/mod_csrfprotector

Some articles with the latest news and information around CSRF Protector:

• Mar 17, 2018 - Support for custom logging in CSRF Protector Library and more
• Oct 07, 2017 - Introducing minor improvements to CSRF Protector PHP
• Nov 04, 2016 - Logging out and then logging in throws 403 error with CSRF Protector PHP – fix / workaround
• Nov 28, 2015 - CSRF protector – Concept, Design and Future

How to contribute

If you have written an article explaining how to use CSRF Protector Project or how it works or some bugs or work around, please feel free to send a pull request to github.com/OWASP/www-project-csrfprotector