Anti-CSRF protection

Contents...
CSRF (also known as a one-click attack or session riding) or XSRF is a type of malicious exploit of a website whereby unauthorized commands are transmitted from a user that the website trusts. When a user visits a malicious website, a hidden request is sent in his name to a remote server for execution of a certain action (most often requests are sent to popular email services or social networks, where user is most likely to be registered and authorized). Read more about CSRF on Wikipedia.

The basic anti-CSRF protection technique includes the following:

  1. All sensitive actions performed by user (modification or deletion of data) must be executed upon receipt of a POST request.
  2. Where data are sent, a random token should be generated, saved to cookies and added to all web forms b means of a hidden element: <input type="hidden" name="_csrf" value="RANDOMLY_GENERATED_TOKEN">.
  3. When processing POST requests, compare the values of $_COOKIE['_csrf'] and $_POST['_csrf'], and execute the requested action only if those values are identical. Otherwise chances are very high that the data have been sent from a different (malicious) website.

Protecting your application from CSRF

To make your Webasyst-based applications CSRF-resistant, we have added anti-CSRF protection to the framework core. Here is how you can make use of this feature in your own application:

  1. Add the following record to your app's configuration file wa-apps/APP_ID/lib/config/app.php:

    'csrf' => true,
  2. Add helper {$wa->csrf()} inside all form elements in your HTML templates which are used to send data using the POST method. This helper adds a hidden input element to your web forms with the correctly generated token.

Further checks will be automatically carried out by the framework. Should the tokens not match, the framework will return the "403 Forbidden" error and will not grant access to the application for such a request.

AJAX

If you are utilizing JavaScript file wa-content/js/jquery-wa/wa.core.js in your application, then parameter _csrf will be automatically added to all your POST requests.

If that script file is not included in your templates, then to implement anti-CSRF protection (provided that the 'csrf' => true record has been added to the configuration file), you need to add variable '_csrf' = get_cookie('_csrf') to all AJAX requests.

You may view the implementation of such protection in the source code of the free Blog app.