{"id":26984665,"url":"https://github.com/dneustadt/dneustadtcsrfcookiebundle","last_synced_at":"2025-04-03T17:48:44.027Z","repository":{"id":42568506,"uuid":"300445372","full_name":"dneustadt/DneustadtCsrfCookieBundle","owner":"dneustadt","description":"Symfony bundle that provides Cross Site Request Forgery (CSRF or XSRF) protection for client-side applications","archived":false,"fork":false,"pushed_at":"2023-06-21T11:31:59.000Z","size":28,"stargazers_count":12,"open_issues_count":1,"forks_count":7,"subscribers_count":3,"default_branch":"main","last_synced_at":"2024-05-01T18:25:23.574Z","etag":null,"topics":["ajax","angular","axios","csrf","react","security","vue","xhr","xsrf"],"latest_commit_sha":null,"homepage":"","language":"PHP","has_issues":true,"has_wiki":null,"has_pages":null,"mirror_url":null,"source_name":null,"license":"mit","status":null,"scm":"git","pull_requests_enabled":true,"icon_url":"https://github.com/dneustadt.png","metadata":{"files":{"readme":"README.md","changelog":null,"contributing":null,"funding":null,"license":"LICENSE","code_of_conduct":null,"threat_model":null,"audit":null,"citation":null,"codeowners":null,"security":null,"support":null}},"created_at":"2020-10-01T22:56:14.000Z","updated_at":"2024-01-19T18:46:04.000Z","dependencies_parsed_at":"2022-08-21T10:50:53.336Z","dependency_job_id":null,"html_url":"https://github.com/dneustadt/DneustadtCsrfCookieBundle","commit_stats":null,"previous_names":[],"tags_count":5,"template":false,"template_full_name":null,"repository_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/repositories/dneustadt%2FDneustadtCsrfCookieBundle","tags_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/repositories/dneustadt%2FDneustadtCsrfCookieBundle/tags","releases_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/repositories/dneustadt%2FDneustadtCsrfCookieBundle/releases","manifests_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/repositories/dneustadt%2FDneustadtCsrfCookieBundle/manifests","owner_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/owners/dneustadt","download_url":"https://codeload.github.com/dneustadt/DneustadtCsrfCookieBundle/tar.gz/refs/heads/main","host":{"name":"GitHub","url":"https://github.com","kind":"github","repositories_count":247052502,"owners_count":20875681,"icon_url":"https://github.com/github.png","version":null,"created_at":"2022-05-30T11:31:42.601Z","updated_at":"2022-07-04T15:15:14.044Z","host_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub","repositories_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/repositories","repository_names_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/repository_names","owners_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/owners"}},"keywords":["ajax","angular","axios","csrf","react","security","vue","xhr","xsrf"],"created_at":"2025-04-03T17:48:43.461Z","updated_at":"2025-04-03T17:48:44.019Z","avatar_url":"https://github.com/dneustadt.png","language":"PHP","funding_links":[],"categories":[],"sub_categories":[],"readme":"# CSRF Cookie Bundle\n\nThis [Symfony](http://symfony.com) bundle provides [Cross Site Request Forgery](http://en.wikipedia.org/wiki/Cross-site_request_forgery)\n(CSRF or XSRF) protection for client-side applications requesting endpoints provided by Symfony through XHR.\n\nHeavily influenced and inspired by [DunglasAngularCsrfBundle](https://github.com/dunglas/DunglasAngularCsrfBundle)\n\n## Requirements\n\n* Symfony \u003e= 5.x\n\n## Working method\n\nTo store the CSRF token client-side a cookie containing the token can be set by one or more predetermined routes.\nThe bundle is pre-configured in a way that modern client-side http clients such as [Axios](https://github.com/axios/axios)\nwill automatically pick up said cookie. On subsequent requests to Symfony the CSRF token can then be added to the\nHTTP header to be validated server-side. Again, some clients may already do so automatically e.g. Axios.\n\n## Installation\n\nUse [Composer](http://getcomposer.org/) to install this bundle:\n\n```\ncomposer require dneustadt/csrf-cookie-bundle\n```\n\n## General Configuration\n```yaml\n# config/packages/dneustadt_csrf_cookie.yaml\ndneustadt_csrf_cookie:\n    # Generally enable/disable the CSRF protection\n    enable: true\n    # ID used to generate token\n    id: csrf\n    # Name of the cookie the token is stored in\n    name: XSRF-TOKEN\n    # Cookie expiration\n    expire: 0\n    # Cookie path\n    path: /\n    # Cookie domain\n    domain: null\n    # Cookie HttpOnly\n    httpOnly: true\n    # Cookie secure\n    secure: false\n    # Name of the HTTP header the token is expected to be stored in\n    header: X-XSRF-TOKEN\n    # Cookie same site policy\n    sameSite: lax\n```\n\n## Routes Configurations\n\nRoutes can be set up to either provide (`create`) a token, be secured by (`require`) a token or both.\n\nSince the defaults of a single route or a route collection are used to configure the behaviour it is possible\nto do so either by means of configuration files or annotations.\n\n```yaml\n# config/routes.yaml\napi_controllers:\n    resource: ../src/Controller/Api\n    type: annotation\n    defaults:\n        csrf:\n            # bool or array of allowed methods\n            create: true\n            # bool or array of allowed methods\n            require:\n                - 'POST'\n                - 'PUT'\n                - 'PATCH'\n                - 'DELETE'\n            # array of route names to be excluded from create/require in this collection\n            exclude:\n                - 'app_api_blog_index'\n            # additional condition using ExpressionLanguage syntax\n            condition: 'request.isXmlHttpRequest()'\n```\n\nFor more information on conditions see [ExpressionLanguage](https://symfony.com/doc/current/components/expression_language.html)\n\nAs annotation:\n\n```php\n// src/Controller/Api/ExampleController.php\nnamespace App\\Controller\\Api;\n\n// ...\n\nclass ExampleController extends AbstractController\n{\n    /**\n     * @Route(\"/api/index\", methods={\"GET\",\"HEAD\"}, defaults={\"csrf\": {\"create\": true}})\n     */\n    public function index()\n    {\n        // ...\n    }\n}\n```\n\n## Symfony Form Component\n\nBuilt-in CSRF Protection of forms will be automatically disabled for routes that are configured to be secured by means\nof the token stored in the HTTP header, provided said token can be successfully validated.\n","project_url":"https://awesome.ecosyste.ms/api/v1/projects/github.com%2Fdneustadt%2Fdneustadtcsrfcookiebundle","html_url":"https://awesome.ecosyste.ms/projects/github.com%2Fdneustadt%2Fdneustadtcsrfcookiebundle","lists_url":"https://awesome.ecosyste.ms/api/v1/projects/github.com%2Fdneustadt%2Fdneustadtcsrfcookiebundle/lists"}