Anticipate risks and strike preemptively: A pioneering strategy to prevent PHP cross-site request forgery (CSRF)

The article "Anticipating Risks and Preempting Strikes: Pioneer Strategies for PHP Cross-Site Request Forgery (CSRF) Prevention" written by php editor Xinyi deeply explores the threat of CSRF attacks to website security, and proposes a series of prevention strategies to help develop to effectively prevent such attacks. Through concise and clear language, the article provides readers with a practical security prevention guide, allowing them to better protect the security of the website and users during the development process.

1. Form submission CSRF attack

This type of attack is by tricking the victim into clicking a forged link or button, causing the victim's browser to send a POST request to the attacker's website, thereby performing the actions expected by the attacker.

2. GET request CSRF attack

GET request CSRF attacks work by tricking the victim into clicking on a forged link or image, causing the victim's browser to send a GET request to the attacker's website, thereby performing the actions intended by the attacker.

3. JSON request CSRF attack

JSONRequest CSRF attacks execute the attacker by tricking the victim into clicking on a forged link or button, causing the victim's browser to send a jsON request to the attacker's website. expected operation.

4. AJAX request CSRF attack

ajaxRequest CSRF attacks work by tricking the victim into clicking on a forged link or button, causing the victim's browser to send an AJAX request to the attacker's website, thereby performing the actions intended by the attacker.

Pioneering Strategies to Prevent CSRF Attacks

1. Use CSRF token

The CSRF token is a random string that is generated on the server side and stored in the client's cookie. When sending a request, the client will send the CSRF token to the server as part of the Http request header. The server checks whether the CSRF token is valid and, if valid, performs the requested operation; if invalid, rejects the request.

Code example:

<?PHP

// 生成CSRF令牌
$csrfToken = bin2hex(random_bytes(32));

// 在Cookie中存储CSRF令牌
setcookie("csrf_token", $csrfToken, time() + 3600, "/");

// 检查CSRF令牌是否有效
if ($_SERVER["REQUEST_METHOD"] === "POST") {
if (!isset($_POST["csrf_token"]) || $_POST["csrf_token"] !== $_COOKIE["csrf_token"]) {
die("Invalid CSRF token");
}
}

// 执行请求的操作
...

?>

2. Use the SameSite attribute

The SameSite attribute prevents the browser from sending cookies in cross-site requests. It can be set to one of the following three values:

• Lax: The browser will send cookies in cross-site requests, but only for same-origin requests.
• Strict: The browser will not send cookies in cross-site requests.
• None: The browser will send the cookie in a cross-site request, regardless of whether the request originates from the same source.

Code example:

<fORM action="submit.php" method="post">
<input type="hidden" name="csrf_token" value="<?php echo $csrfToken; ?>">
<input type="submit" value="Submit">
</form>

<?php

// 检查SameSite属性是否有效
if ($_SERVER["REQUEST_METHOD"] === "POST") {
if (!isset($_POST["csrf_token"]) || $_POST["csrf_token"] !== $_COOKIE["csrf_token"]) {
die("Invalid CSRF token");
}
}

// 执行请求的操作
...

?>

3. Use Content-Security-Policy (CSP) header

The CSP header prevents the browser from loading resources from third-party websites. It can be set to allow or block certain types of resources, such as scripts, stylesheets, and images.

Code example:

<meta http-equiv="Content-Security-Policy" content="default-src "self"; script-src "self" "https://example.com"; style-src "self" "https://example.com"; img-src "self" "https://example.com";">

4. Use Cross-Origin Resource Sharing (CORS) header

The CORS header allows the browser to send cross-domain requests to other domains. It can be set to allow or deny certain types of requests, such as GET, POST, PUT, and DELETE.

Code example:

<meta http-equiv="Access-Control-Allow-Origin" content="https://example.com">
<meta http-equiv="Access-Control-Allow-Methods" content="GET, POST, PUT, DELETE">

The above is the detailed content of Anticipate risks and strike preemptively: A pioneering strategy to prevent PHP cross-site request forgery (CSRF). For more information, please follow other related articles on the PHP Chinese website!