This package contains a PHP PSR-15 (http-interop) compliant middleware that checks for CSRF attacks.

It implements the first OWASP general recommendation for guarding your site against cross-site request forgery (Verifying Same Origin with Standard Headers).

Note that OWASP recommends also using a CSRF token. This requires some changes in your application and this middleware does not provide any help regarding CSRF token generation. Other packages (like Slim-CSRF) can help you with CSRF token validation.

The CsrfHeaderCheckMiddleware will check that all POST/PUT/DELETE requests and verify that the "Origin" of the request is your own website.

It does so by comparing the "Origin" (or the "Referrer" header as a fallback) to the "Host" (or "X-Forwarded-Host") header. If the headers do not match (or if the headers are not found), it will trigger an exception.

• This middleware completely bypasses GET requests. If your application modifies state on GET requests, you are screwed. Of course, modification of state should only happen in POST requests (but please check twice that your routes changing state do ONLY works with POST/DELETE/PUT requests).
• This middleware expects "Origin" or "Referrer" headers to be filled. This will often be true unless you are in a corporate environment with proxies that are fiddling with your request. For instance, some proxies are known to strip headers in order to make the request anonymous.

composer require thecodingmachine/csrf-header-check-middleware