Yii The key to preventing CSRF attacks is to use the built-in mechanism correctly. First, Yii enables CSRF protection by default and generates tokens automatically. The token will be automatically added when using ActiveForm or Html::beginForm; second, when writing forms manually or using AJAX, you need to obtain the token through Yii::$app->request->csrfToken, and it is recommended to pass it to JS through meta tags; third, for the API interface, you can choose to turn off CSRF and strengthen other authentications such as JWT, or pass tokens through header; finally, sensitive operations should be avoided in GET requests, and only use POST/PUT/DELETE to perform state changes.

Preventing cross-site request forgery (CSRF) attacks is not actually complicated in Yii, but it is very critical. The Yii framework itself has built-in CSRF protection mechanism, which is enabled by default. As long as you understand how it works and make reasonable configurations based on actual needs, you can effectively prevent such attacks.

Turn on and correctly use Yii's CSRF protection

Yii generates a unique CSRF token for each session by default and validates it in each POST request. If you are using form assistance methods provided by Yii such as ActiveForm or Html::beginForm, the token will be automatically added to the form without manual processing.

But if you write the form yourself or submit data with AJAX, you need to manually insert the CSRF token. For example:

• Get token in view: Yii::$app->request->csrfToken
• When using it in JavaScript, it is recommended to put the token in the meta tag and then get it through JS:

   <meta name="csrf-token" content="<?= Yii::$app->request->csrfToken ?>">

This can avoid XSS risks and facilitate front-end calls.

Pay special attention to CSRF settings for API interfaces

For front-end and back-end separate applications or RESTful API interfaces, cookie/session-based authentication is usually not recommended. At this time, CSRF protection may need to be turned off or handled in another way.

You can disable CSRF verification in the controller or module configuration:

 public function init()
{
    $this->enableCsrfValidation = false;
    parent::init();
}

However, it should be noted that other security measures should be strengthened while closing CSRF, such as using OAuth, JWT authentication, etc. to ensure the legitimacy of the request source.

Also, if you still want to keep CSRF verification, you can pass the token through the header instead of putting it in the form. The front-end brings X-CSRF-Token in the request header, and the back-end can recognize it.

Note that GET requests should not perform sensitive operations

Many CSRF attacks take advantage of the user's browser's automatic cookies, and GET requests are most likely to be triggered. Therefore, never let GET requests perform any sensitive operations , such as deleting data, modifying user information, etc.

Even if you enable CSRF protection, you should follow this principle. Because by default Yii does not perform CSRF verification on GET requests, because it assumes that GET is "read-only".

So the correct way is:

• Use POST/PUT/DELETE to perform state changes
• If GET is required, do not involve user identity changes or sensitive data operations

Let's summarize

Basically that's it. Yii's CSRF protection mechanism is already very complete. As long as you pay attention to a few key points during the development process - correctly using tokens, reasonably configuring the API interface, and avoiding dangerous operations in GET, you can be well protected against CSRF attacks. These seem simple, but if you don't pay attention, it is easy to ignore a certain link, resulting in security vulnerabilities.

The above is the detailed content of How do I prevent cross-site request forgery (CSRF) attacks in Yii?. For more information, please follow other related articles on the PHP Chinese website!