Home > Article > Backend Development > Fight back and turn defeat into victory: Counterattack tips for PHP cross-site request forgery (CSRF) prevention
php editor Strawberry reveals to you the secret of preventing PHP cross-site request forgery (CSRF). CSRF attacks are a common network security threat, but through some simple and effective preventive measures, we can turn defeat into victory and protect the security of websites and users. This article will introduce the principles and harms of CSRF attacks, and how to use token verification, SameSite Cookie and other technologies to effectively prevent such attacks and make your website more secure and reliable.
A CSRF token is a random string used to verify that a request comes from a legitimate source. You can implement CSRF protection by storing a CSRF token in the user's session and including the token with every request. When the server receives a request, it compares the token in the request with the token stored in the session. If there is no match, the server rejects the request.
<?PHP // 生成 CSRF 令牌 $csrfToken = bin2hex(random_bytes(32)); // 将 CSRF 令牌存储在用户的会话中 $_SESSioN["csrfToken"] = $csrfToken; // 将 CSRF 令牌包含在每个请求中 <fORM action="submit.php" method="post"> <input type="hidden" name="csrfToken" value="<?php echo $csrfToken; ?>"> <input type="submit" value="Submit"> </form>
Verify request source
You can prevent CSRF attacks by verifying the origin of the request. You can do this by checking the request's Http Origin header. If the request's Origin header is not your application's URL, you should deny the request.
<?php // 检查请求的 HTTP 来源头 $referer = $_SERVER["HTTP_REFERER"]; if (strpos($referer, "https://example.com") !== 0) { // 请求不是来自您的应用程序 header("HTTP/1.1 403 Forbidden"); exit; }
Use security headers
You can prevent CSRF attacks by using the Security header. Security headers tell the browser how to behave to help prevent CSRF attacks. You can use the following security headers:
Content-Security-Policy
: This header can limit the resources that the browser can load. X-Frame-Options
: This header prevents your application from being loaded in another website. X-XSS-Protection
: This header can help prevent cross-site scripting (XSS) attacks. <?php // 设置安全标头 header("Content-Security-Policy: default-src "self";"); header("X-Frame-Options: SAMEORIGIN"); header("X-XSS-Protection: 1; mode=block");
Limit the scope of sensitive operations
You can prevent CSRF attacks by limiting the scope of sensitive operations. You can do this by limiting sensitive actions to pages that only authenticated users can access. You can also achieve this by requiring users to enter a password before performing sensitive actions.
<?php // 将敏感操作限制在经过身份验证的用户才能访问的页面 if (!isset($_SESSION["authenticated"])) { // 用户未经身份验证 header("HTTP/1.1 403 Forbidden"); exit; } // 要求用户在执行敏感操作之前输入密码 if ($_SERVER["REQUEST_METHOD"] == "POST") { if (!isset($_POST["passWord"]) || $_POST["password"] != "secret") { // 密码不正确 header("HTTP/1.1 403 Forbidden"); exit; } }
in conclusion
By using the above techniques, you can prevent CSRF attacks and protect your PHP applications.
The above is the detailed content of Fight back and turn defeat into victory: Counterattack tips for PHP cross-site request forgery (CSRF) prevention. For more information, please follow other related articles on the PHP Chinese website!