{"id":15063304,"url":"https://github.com/dunglas/dunglasangularcsrfbundle","last_synced_at":"2025-10-04T22:31:59.287Z","repository":{"id":12876499,"uuid":"15552938","full_name":"dunglas/DunglasAngularCsrfBundle","owner":"dunglas","description":"Automatic CSRF protection for JavaScript apps using a Symfony API","archived":true,"fork":false,"pushed_at":"2020-12-28T14:53:09.000Z","size":93,"stargazers_count":148,"open_issues_count":0,"forks_count":32,"subscribers_count":7,"default_branch":"master","last_synced_at":"2025-01-16T16:15:13.742Z","etag":null,"topics":["angular","angularjs","axios","csrf","csrf-attacks","csrf-protection","jquery","php","react","symfony","symfony-bundle","vue","xsrf"],"latest_commit_sha":null,"homepage":"http://api-platform.com","language":"PHP","has_issues":true,"has_wiki":null,"has_pages":null,"mirror_url":null,"source_name":null,"license":"mit","status":null,"scm":"git","pull_requests_enabled":true,"icon_url":"https://github.com/dunglas.png","metadata":{"files":{"readme":"README.md","changelog":null,"contributing":null,"funding":null,"license":"LICENSE","code_of_conduct":null,"threat_model":null,"audit":null,"citation":null,"codeowners":null,"security":null,"support":null}},"created_at":"2013-12-31T16:22:43.000Z","updated_at":"2024-08-09T05:41:28.000Z","dependencies_parsed_at":"2022-09-06T11:11:48.438Z","dependency_job_id":null,"html_url":"https://github.com/dunglas/DunglasAngularCsrfBundle","commit_stats":null,"previous_names":[],"tags_count":5,"template":false,"template_full_name":null,"repository_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/repositories/dunglas%2FDunglasAngularCsrfBundle","tags_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/repositories/dunglas%2FDunglasAngularCsrfBundle/tags","releases_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/repositories/dunglas%2FDunglasAngularCsrfBundle/releases","manifests_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/repositories/dunglas%2FDunglasAngularCsrfBundle/manifests","owner_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/owners/dunglas","download_url":"https://codeload.github.com/dunglas/DunglasAngularCsrfBundle/tar.gz/refs/heads/master","host":{"name":"GitHub","url":"https://github.com","kind":"github","repositories_count":235321061,"owners_count":18971238,"icon_url":"https://github.com/github.png","version":null,"created_at":"2022-05-30T11:31:42.601Z","updated_at":"2022-07-04T15:15:14.044Z","host_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub","repositories_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/repositories","repository_names_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/repository_names","owners_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/owners"}},"keywords":["angular","angularjs","axios","csrf","csrf-attacks","csrf-protection","jquery","php","react","symfony","symfony-bundle","vue","xsrf"],"created_at":"2024-09-24T23:54:48.215Z","updated_at":"2025-10-04T22:31:53.994Z","avatar_url":"https://github.com/dunglas.png","language":"PHP","readme":"# JavaScript CSRF Protection Bundle\n\n**Archived!** Now that all modern browsers implement `SameSite` cookies and the `Origin` HTTP header, this bundle is - in most cases - not necessary anymore. **[Learn how to protect your Symfony APIs from CSRF attacks](https://symfonycasts.com/screencast/reactjs/csrf-protection?cid=apip#do-apis-need-protection).** If you need to maintain old applications, take a look to [DneustadtCsrfCookieBundle](https://github.com/dneustadt/DneustadtCsrfCookieBundle).\n\nThis [API Platform](http://api-platform.com) and [Symfony](http://symfony.com) bundle provides automatic\n[Cross Site Request Forgery](http://en.wikipedia.org/wiki/Cross-site_request_forgery) (CSRF or XSRF) protection for\nclient-side applications.\n\nDespite the name, it works with any client-side technology including [Angular](https://angular.io/),\n[React](https://facebook.github.io/react/), [Vue.js](https://vuejs.org/) and [jQuery](https://jquery.com/).\nActually, any JavaScript code issuing [XMLHttpRequest](https://developer.mozilla.org/en-US/docs/Web/API/XMLHttpRequest) or using [the Fetch API](https://developer.mozilla.org/en-US/docs/Web/API/Fetch_API) can leverage this bundle.\n\n[![Build Status](https://travis-ci.org/dunglas/DunglasAngularCsrfBundle.png?branch=master)](https://travis-ci.org/dunglas/DunglasAngularCsrfBundle)\n[![SensioLabsInsight](https://insight.sensiolabs.com/projects/4a1e438f-038e-4cd7-ab6e-8849c4586a08/mini.png)](https://insight.sensiolabs.com/projects/4a1e438f-038e-4cd7-ab6e-8849c4586a08)\n[![Dependency Status](https://www.versioneye.com/user/projects/5583d39036386100150002dd/badge.svg?style=flat)](https://www.versioneye.com/user/projects/5583d39036386100150002dd)\n[![StyleCI](https://styleci.io/repos/15552938/shield?branch=master)](https://styleci.io/repos/15552938)\n\n## How it Works\n\nThanks to this bundle, the server-side application (the Symfony app) will automatically set a cookie named `XSRF-Token`\ncontaining a unique token during the first HTTP response sent to the browser.\nSubsequent asynchronous requests made by the JavaScript app with `xhr` or `fetch` send back the value of the cookie in a\nspecial HTTP header named `X-XSRF-Token`.\n\nTo prevent CSRF attacks, the bundle will check that the header's value match the cookie's value. This way, it will be\nable to detect and block CSRF attacks.\n\nAngularJS (v1)'s `ng.$http` service has\n[a built-in support for this CSRF protection system](http://docs.angularjs.org/api/ng.$http#description_security-considerations_cross-site-request-forgery-protection).\nIf you use another framework or HTTP client (such as [Axios](https://github.com/axios/axios)), you just need to read the\ncookie value and add the HTTP header containing it by yourself.\n\nThis bundle provides a [Symfony's Event Listener](http://symfony.com/doc/current/cookbook/service_container/event_listener.html)\nthat set the cookie and another one that checks the HTTP header to block CSRF attacks.\n\nThanks to DunglasAngularCsrfBundle, you get CSRF security without modifying your code base.\n\nThis bundle works fine with both [API Platform](https://api-platform.com) and\n[FOSRestBundle](https://github.com/FriendsOfSymfony/FOSRestBundle).\n\n## Installation\n\nUse [Composer](http://getcomposer.org/) to install this bundle:\n\n    composer require dunglas/angular-csrf-bundle\n\nIf you use Symfony Flex, you're done.\n\nOtherwise add the bundle in your application kernel:\n\n```php\n// app/AppKernel.php\n\npublic function registerBundles()\n{\n    return array(\n        // ...\n        new Dunglas\\AngularCsrfBundle\\DunglasAngularCsrfBundle(),\n        // ...\n    );\n}\n```\n\nConfigure URLs where the cookie must be set and that must be protected against CSRF attacks:\n\n```yaml\n# app/config/security.yml\ndunglas_angular_csrf:\n    # Collection of patterns where to set the cookie\n    cookie:\n        set_on:\n            - { path: ^/$ }\n            - { route: ^app_, methods: [GET, HEAD] }\n            - { host: example.com }\n    # Collection of patterns to secure\n    secure:\n        - { path: ^/api, methods: [POST, PUT, PATCH, LINK] }\n        - { route: ^api_v2_ }\n        - { host: example.com, methods: [POST, PUT, PATCH, DELETE, LINK] }\n    # Collection of patterns to exclude\n    exclude:\n        - { path: ^/api/exclude, methods: [POST, PUT, PATCH, LINK] }\n        - { route: ^api_v2_exclude }\n        - { host: exclude-example.com, methods: [POST, PUT, PATCH, DELETE, LINK] }\n        \n```\n\nYour app is now secured.\n\n## Examples\n\n* [DunglasTodoMVCBundle](https://github.com/dunglas/DunglasTodoMVCBundle): an implementation of the TodoMVC app using Symfony,\nBackbone.js and Chaplin.js\n\n## Full Configuration\n\n```yaml\ndunglas_angular_csrf:\n    token:\n        # The CSRF token id\n        id: angular\n    header:\n        # The name of the HTTP header to check (default to the AngularJS default)\n        name: X-XSRF-TOKEN\n    cookie:\n        # The name of the cookie to set (default to the AngularJS default)\n        name: XSRF-TOKEN\n        # Expiration time of the cookie\n        expire: 0\n        # Path of the cookie\n        path: /\n        # Domain of the cookie\n        domain: ~\n        # If true, set the cookie only on HTTPS connection\n        secure: false\n        # Patterns of URLs to set the cookie\n        set_on:\n            - { path: \"^/url-pattern\", route: \"^route_name_pattern$\", host: \"example.com\", methods: [GET, POST] }\n    # Patterns of URLs to check for a valid CSRF token\n    secure:\n        - { path: \"^/url-pattern\", route: \"^route_name_pattern$\", host: \"example.com\", methods: [GET, POST] }\n    # Patterns to exclude from secure routes\n    exclude:\n        - { path: \"^/url-pattern/exclude\", route: \"^route_name_pattern$\", host: \"example.com\", methods: [GET, POST] }\n```\n\n## Integration with the Symfony Form Component\n\nWhen using the Symfony Form Component together with DunglasAngularCsrfBundle, the bundle will automatically disable the\nbuilt-in form CSRF protection only if the CSRF token provided by the header is valid. \n\nIf no CSRF header is found or if the token is invalid, the form CSRF protection will not be disabled by the bundle.\n\nIf you want your form to be validated only by the form component system, make sure to remove its URL from the config.\n\n## Credits\n\nThis bundle has been created by [Kévin Dunglas](http://dunglas.fr).\n","funding_links":[],"categories":[],"sub_categories":[],"project_url":"https://awesome.ecosyste.ms/api/v1/projects/github.com%2Fdunglas%2Fdunglasangularcsrfbundle","html_url":"https://awesome.ecosyste.ms/projects/github.com%2Fdunglas%2Fdunglasangularcsrfbundle","lists_url":"https://awesome.ecosyste.ms/api/v1/projects/github.com%2Fdunglas%2Fdunglasangularcsrfbundle/lists"}