Securing your Application with CSRF on Lithe

In this tutorial, we will learn how to implement CSRF (Cross-Site Request Forgery) protection in Lithe, to prevent unwanted requests from being made in your application. This guide is designed for beginners, so let's go in parts!

---

What is CSRF?

CSRF, or Cross-Site Request Forgery, is a type of attack where a user is tricked into performing an unauthorized action on a website on which they are authenticated. This attack is dangerous because the attacker can manipulate data or access restricted areas. To prevent this, we added a security layer that prevents suspicious requests from being processed.

---

Tutorial Structure

1. Configure Lithe
2. Install CSRF Middleware
3. Add the CSRF Token in the Backend
4. Check the Token in the Backend
5. Send the Token via Frontend
6. Test CSRF Protection

Let's get started!

---

Step 1: Configuring Lithe

If you don't already have Lithe configured, start by installing the framework with the command below:

composer create-project lithephp/lithephp nome-do-projeto
cd nome-do-projeto

This creates a basic structure for your Lithe project.

---

Step 2: Installing the CSRF Middleware

CSRF middleware helps generate and validate CSRF tokens. To install, run the following command in the terminal within your project:

composer require lithemod/csrf

---

Step 3: Configuring the CSRF Middleware

Now, we need to tell Lithe that we want to use the CSRF middleware. Open the main file src/App.php and add the CSRF middleware.

use Lithe\Middleware\Security\csrf;
use function Lithe\Orbis\Http\Router\router;

$app = new \Lithe\App;

// Configura o middleware CSRF com verificação automática no corpo da requisição
$app->use(csrf([
    'expire' => 600, // Expiração do token após 10 minutos
    'checkBody' => true, // Habilita a verificação automática no corpo
    'bodyMethods' => ['POST', 'PUT', 'DELETE'], // Define os métodos para verificar o CSRF no corpo
]));

$app->use(router(__DIR__ . '/routes/web'));

$app->listen();

With this, the CSRF middleware is active in our application, and every request that needs protection must include a valid token.

---

Step 4: Generating the CSRF Token

To use CSRF protection, we need to generate a unique token and include it in requests. Let's create a route to submit a form that automatically includes the CSRF token.

1. Create a file called src/routes/web.php, and add the form route with a field for the CSRF token.

use Lithe\Http\{Request, Response};
use function Lithe\Orbis\Http\Router\get;

get('/form', function (Request $req, Response $res) {
    // Gera o campo de token CSRF
    $tokenField = $req->csrf->getTokenField();

    // Envia o HTML com o token incluído no formulário
    return $res->send("
        <form method='POST' action='/submit'>
            $tokenField
            <input type='text' name='data' placeholder='Digite algo' required>
            <button type='submit'>Enviar</button>
        </form>
    ");
});

1. This route creates a form that includes the CSRF token field. The field is mandatory for Lithe to verify the authenticity of the request.

---

Step 5: Verifying the Token on the Backend

When the form is submitted, Lithe will automatically check if the token is valid. Now, let's create the route that will receive and process the form.

1. In the same src/routes/web.php file, add the route to process the form submission.

composer create-project lithephp/lithephp nome-do-projeto
cd nome-do-projeto

If the token is invalid or missing, Lithe will automatically block the request and return an error.

---

Step 6: Sending Requests with the CSRF Token

On the frontend, whenever you need to send a POST request (or other data change method), it is important to include the CSRF token in the request body or header, depending on how you configured your middleware.

Example with JavaScript Fetch API

For those who use JavaScript, here is an example of how to send the token with a fetch request:

composer require lithemod/csrf

---

Step 7: Testing CSRF Protection

1. Access the /form route in the browser. You will see the form with the CSRF token included.
2. Fill in the field and submit the form.
3. If everything is working, you will see a success message with the data sent.

---

Summary and Final Considerations

In this tutorial we learn:

• What is CSRF and why is it important.
• How to configure CSRF middleware in Lithe.
• How to generate and verify CSRF tokens in the backend.
• How to send CSRF tokens with forms and AJAX requests.

With this protection in place, you make your application more secure against CSRF attacks, helping to protect the integrity of your users' data.

For more detailed information, check out the Official Lithe Documentation.

The above is the detailed content of Securing your Application with CSRF on Lithe. For more information, please follow other related articles on the PHP Chinese website!