2

Hello stackoverflow community,

I searched in google a method to protect my website HTTP POST requests from csrf attacks and i found the OWASP CSRF Protector project, i place the page link in case someone don't know what is : click here to check in git reposity. I followed the guide as the author of the above page explains but doesnt seems to work cause i cant make an ajax request with success and i don't have either an error message to understand what goes wrong.

To conclude, i downloaded the OWASP CSRF Protector library, i placed to my config file a CSRFP_TOKEN and also in each php page the following code at the begin of each page:

<php    
    include_once __DIR__ .'/libs/csrf/csrfprotector.php';

    //Initialise CSRFGuard library
    csrfProtector::init();

?>

Does anyone know what else i should do, maybe attach this csrf token to each form, creating a SESSION and how to do something like that.

PS-> The token can be static or do i need to change it dynamically

Thank you in advance!

Vasileios Tsakalis
  • 1,101
  • 2
  • 11
  • 25

1 Answers1

0

You can follow the steps here to use CSRF Protector:

https://github.com/mebjas/CSRF-Protector-PHP/wiki/How-to-use

Please notice that, you need to edit the jsUrl in the config.php file to point to the path where you placed your csrfprotector.js

Example "jsUrl" => "http://localhost/YOU_PATH_TO_XCSRF/xcsrf/vendor/owasp/csrf-protector-php/js/csrfprotector.js"

You can do a per session token or a per form token, see the answers in this question for more details: CSRF protection: do we have to generate a token for every form?

Community
  • 1
  • 1
Matrix
  • 1,810
  • 1
  • 19
  • 20