How to use PHP forms to prevent CSRF attacks

With the continuous development of network technology, security issues have increasingly become an issue that cannot be ignored in network application development. Among them, the cross-site request forgery (CSRF) attack is a common attack method. Its main purpose is to use the user to initiate an illegal request to the background by allowing the user to initiate a malicious request in the browser when the user is logged in to the website. This leads to server-side security vulnerabilities. In PHP applications, using form validation is an effective means of preventing CSRF attacks.

1. Join CSRF Token verification

CSRF attacks mainly use the identity of logged-in users to carry out remote attacks, so the most direct protection against this attack method is Add some unconventional values ​​to page data and forms, and limit each form request to only be sent once. These values ​​​​are CSRF Tokens, which are used to verify whether the identity information when submitting the form is legal. When processing form submission in the background, the Token needs to be verified. Only when it matches the preset Token can the request continue to be processed.

A sample code is as follows:

// 生成Token值，通常可以在session中设置

session_start();

$token = md5(uniqid(mt_rand(), true));

$_SESSION['csrf_token'] = $token;

// 应用到表单中

<input type="hidden" name="csrf_token" value="<?=$_SESSION['csrf_token']?>"/>

For form submission, Token verification is required before processing the data, as follows:

// 获取表单提交的Token

$submittedToken = $_POST['csrf_token'];

// 验证Token是否合法

if (!isset($_SESSION['csrf_token']) || $submittedToken !== $_SESSION['csrf_token']) {

    die('Token validation failed, request denied');

}

In the above code, we use PHP's session mechanism , generate a random non-duplicate Token value and store it in the session. In the form, we need to pass the Token value as a field in the hidden field to the background so that it can be sent to the server when the form is submitted. On the server side, we need to verify the requested Token value. If the submitted Token is inconsistent with the predefined Token, the request needs to be rejected.

2. Configuring the Referrer Policy header

Referrer Policy is an HTTP header used to control whether the browser includes the Referrer field when sending requests to third-party sites. If we directly reject requests for illegal Referrer fields during form processing, we can effectively defend against CSRF attacks.

In PHP, we can use the following code to set the Referrer Policy header:

header('Referrer-Policy: no-referrer');

The above code tells the browser not to include the Referrer header information when sending a request. In this way, even if an attacker attempts to conduct a CSRF attack by forging the Referrer header, it will be rejected by the browser and the request will not be sent to the server.

3. Add "Verification Code" or "Password" authentication to the form

In addition to adding CSRF Token to the form, we can also add additional verification codes or passwords, etc. Authentication method to enhance the security of the form and prevent CSRF attacks. Although this method is relatively cumbersome, it is very effective because no matter how the attacker tries to deceive the server, he needs to go through additional authentication links, making the attack more difficult.

4. Avoid using the GET method to submit the form

CSRF attacks are mostly initiated through GET requests, so we try to avoid using the GET method to submit data in the form. If the GET method must be used, we must add a Token value or other authentication method to the form to enhance the security of the form.

In short, preventing CSRF attacks is an issue that must be paid attention to in PHP application development. By rationally using various security mechanisms such as Token value, Referrer Policy header, and verification code, we can effectively protect applications from the threat of CSRF attacks. At the same time, we must continue to pay attention to the latest network security issues and attack methods, and promptly update and improve our security precautions.

The above is the detailed content of How to use PHP forms to prevent CSRF attacks. For more information, please follow other related articles on the PHP Chinese website!