malhuda/CodeIgniter4
1
0
Fork 0
mirror of https://github.com/codeigniter4/CodeIgniter4.git synced 2025-02-20 11:44:28 +08:00
Code Issues Actions Packages Projects Releases Wiki Activity
CodeIgniter4/libraries/security.html
paulbalandan 50a73d6bc8 Update User Guide
2025-02-07 17:48:15 +00:00

695 lines
48 KiB
HTML
Raw Blame History

This file contains ambiguous Unicode characters

This file contains Unicode characters that might be confused with other characters. If you think that this is intentional, you can safely ignore this warning. Use the Escape button to reveal them.

<!DOCTYPE html>
<html class="writer-html5" lang="en">
<head>
<meta charset="utf-8" /><meta name="generator" content="Docutils 0.19: https://docutils.sourceforge.io/" />
<meta name="viewport" content="width=device-width, initial-scale=1.0" />
<title>Security &mdash; CodeIgniter 4.6.0 documentation</title>
<link rel="stylesheet" type="text/css" href="../_static/pygments.css" />
<link rel="stylesheet" type="text/css" href="../_static/css/citheme.css" />
<link rel="stylesheet" type="text/css" href="../_static/css/citheme_dark.css" />
<link rel="shortcut icon" href="../_static/favicon.ico"/>
<!--[if lt IE 9]>
<script src="../_static/js/html5shiv.min.js"></script>
<![endif]-->
<script data-url_root="../" id="documentation_options" src="../_static/documentation_options.js"></script>
<script src="../_static/jquery.js"></script>
<script src="../_static/underscore.js"></script>
<script src="../_static/_sphinx_javascript_frameworks_compat.js"></script>
<script src="../_static/doctools.js"></script>
<script src="../_static/sphinx_highlight.js"></script>
<script src="../_static/js/citheme.js"></script>
<script src="../_static/js/carbon.js"></script>
<script src="../_static/js/theme.js"></script>
<link rel="index" title="Index" href="../genindex.html" />
<link rel="search" title="Search" href="../search.html" />
<link rel="next" title="Session Library" href="sessions.html" />
<link rel="prev" title="Publisher" href="publisher.html" />
</head>
<body class="wy-body-for-nav">
<div class="wy-grid-for-nav">
<nav data-toggle="wy-nav-shift" class="wy-nav-side">
<div class="wy-side-scroll">
<div class="wy-side-nav-search" >
<a href="../index.html">
<img src="../_static/ci-logo-text.svg" class="logo" alt="Logo"/>
</a>
<div role="search">
<form id="rtd-search-form" class="wy-form" action="../search.html" method="get">
<input type="text" name="q" placeholder="Search docs" aria-label="Search docs" />
<input type="hidden" name="check_keywords" value="yes" />
<input type="hidden" name="area" value="default" />
</form>
</div>
</div><div class="wy-menu wy-menu-vertical" data-spy="affix" role="navigation" aria-label="Navigation menu">
<ul>
<li class="toctree-l1"><a class="reference internal" href="../intro/index.html">Welcome to CodeIgniter4</a><ul>
<li class="toctree-l2"><a class="reference internal" href="../intro/index.html">Welcome to CodeIgniter4</a></li>
<li class="toctree-l2"><a class="reference internal" href="../intro/requirements.html">Server Requirements</a></li>
<li class="toctree-l2"><a class="reference internal" href="../intro/credits.html">Credits</a></li>
<li class="toctree-l2"><a class="reference internal" href="../intro/psr.html">PSR Compliance</a></li>
<li class="toctree-l2"><a class="reference internal" href="../license.html">License Agreement</a></li>
</ul>
</li>
</ul>
<ul>
<li class="toctree-l1"><a class="reference internal" href="../installation/index.html">Installation</a><ul>
<li class="toctree-l2"><a class="reference internal" href="../installation/installing_composer.html">Composer Installation</a></li>
<li class="toctree-l2"><a class="reference internal" href="../installation/installing_manual.html">Manual Installation</a></li>
<li class="toctree-l2"><a class="reference internal" href="../installation/running.html">Running Your App</a></li>
<li class="toctree-l2"><a class="reference internal" href="../installation/troubleshooting.html">Troubleshooting</a></li>
<li class="toctree-l2"><a class="reference internal" href="../installation/deployment.html">Deployment</a></li>
<li class="toctree-l2"><a class="reference internal" href="../changelogs/index.html">Change Logs</a></li>
<li class="toctree-l2"><a class="reference internal" href="../installation/upgrading.html">Upgrading From a Previous Version</a></li>
<li class="toctree-l2"><a class="reference internal" href="../installation/repositories.html">CodeIgniter Repositories</a></li>
</ul>
</li>
</ul>
<ul>
<li class="toctree-l1"><a class="reference internal" href="../tutorial/index.html">Build Your First Application</a><ul>
<li class="toctree-l2"><a class="reference internal" href="../tutorial/static_pages.html">Static Pages</a></li>
<li class="toctree-l2"><a class="reference internal" href="../tutorial/news_section.html">News Section</a></li>
<li class="toctree-l2"><a class="reference internal" href="../tutorial/create_news_items.html">Create News Items</a></li>
<li class="toctree-l2"><a class="reference internal" href="../tutorial/conclusion.html">Conclusion</a></li>
</ul>
</li>
</ul>
<ul>
<li class="toctree-l1"><a class="reference internal" href="../concepts/index.html">CodeIgniter4 Overview</a><ul>
<li class="toctree-l2"><a class="reference internal" href="../concepts/structure.html">Application Structure</a></li>
<li class="toctree-l2"><a class="reference internal" href="../concepts/mvc.html">Models, Views, and Controllers</a></li>
<li class="toctree-l2"><a class="reference internal" href="../concepts/autoloader.html">Autoloading Files</a></li>
<li class="toctree-l2"><a class="reference internal" href="../concepts/services.html">Services</a></li>
<li class="toctree-l2"><a class="reference internal" href="../concepts/factories.html">Factories</a></li>
<li class="toctree-l2"><a class="reference internal" href="../concepts/http.html">Working with HTTP Requests</a></li>
<li class="toctree-l2"><a class="reference internal" href="../concepts/security.html">Security Guidelines</a></li>
<li class="toctree-l2"><a class="reference internal" href="../concepts/goals.html">Design and Architectural Goals</a></li>
</ul>
</li>
</ul>
<ul>
<li class="toctree-l1"><a class="reference internal" href="../general/index.html">General Topics</a><ul>
<li class="toctree-l2"><a class="reference internal" href="../general/configuration.html">Configuration</a></li>
<li class="toctree-l2"><a class="reference internal" href="../general/urls.html">CodeIgniter URLs</a></li>
<li class="toctree-l2"><a class="reference internal" href="../general/helpers.html">Helper Functions</a></li>
<li class="toctree-l2"><a class="reference internal" href="../general/common_functions.html">Global Functions and Constants</a></li>
<li class="toctree-l2"><a class="reference internal" href="../general/logging.html">Logging Information</a></li>
<li class="toctree-l2"><a class="reference internal" href="../general/errors.html">Error Handling</a></li>
<li class="toctree-l2"><a class="reference internal" href="../general/caching.html">Web Page Caching</a></li>
<li class="toctree-l2"><a class="reference internal" href="../general/ajax.html">AJAX Requests</a></li>
<li class="toctree-l2"><a class="reference internal" href="../general/modules.html">Code Modules</a></li>
<li class="toctree-l2"><a class="reference internal" href="../general/managing_apps.html">Managing your Applications</a></li>
<li class="toctree-l2"><a class="reference internal" href="../general/environments.html">Handling Multiple Environments</a></li>
</ul>
</li>
</ul>
<ul>
<li class="toctree-l1"><a class="reference internal" href="../incoming/index.html">Controllers and Routing</a><ul>
<li class="toctree-l2"><a class="reference internal" href="../incoming/routing.html">URI Routing</a></li>
<li class="toctree-l2"><a class="reference internal" href="../incoming/controllers.html">Controllers</a></li>
<li class="toctree-l2"><a class="reference internal" href="../incoming/filters.html">Controller Filters</a></li>
<li class="toctree-l2"><a class="reference internal" href="../incoming/auto_routing_improved.html">Auto Routing (Improved)</a></li>
<li class="toctree-l2"><a class="reference internal" href="../incoming/message.html">HTTP Messages</a></li>
<li class="toctree-l2"><a class="reference internal" href="../incoming/request.html">Request Class</a></li>
<li class="toctree-l2"><a class="reference internal" href="../incoming/incomingrequest.html">IncomingRequest Class</a></li>
<li class="toctree-l2"><a class="reference internal" href="../incoming/content_negotiation.html">Content Negotiation</a></li>
<li class="toctree-l2"><a class="reference internal" href="../incoming/methodspoofing.html">HTTP Method Spoofing</a></li>
<li class="toctree-l2"><a class="reference internal" href="../incoming/restful.html">RESTful Resource Handling</a></li>
</ul>
</li>
</ul>
<ul>
<li class="toctree-l1"><a class="reference internal" href="../outgoing/index.html">Building Responses</a><ul>
<li class="toctree-l2"><a class="reference internal" href="../outgoing/views.html">Views</a></li>
<li class="toctree-l2"><a class="reference internal" href="../outgoing/view_renderer.html">View Renderer</a></li>
<li class="toctree-l2"><a class="reference internal" href="../outgoing/view_layouts.html">View Layouts</a></li>
<li class="toctree-l2"><a class="reference internal" href="../outgoing/view_cells.html">View Cells</a></li>
<li class="toctree-l2"><a class="reference internal" href="../outgoing/view_parser.html">View Parser</a></li>
<li class="toctree-l2"><a class="reference internal" href="../outgoing/view_decorators.html">View Decorators</a></li>
<li class="toctree-l2"><a class="reference internal" href="../outgoing/table.html">HTML Table Class</a></li>
<li class="toctree-l2"><a class="reference internal" href="../outgoing/response.html">HTTP Responses</a></li>
<li class="toctree-l2"><a class="reference internal" href="../outgoing/api_responses.html">API Response Trait</a></li>
<li class="toctree-l2"><a class="reference internal" href="../outgoing/csp.html">Content Security Policy</a></li>
<li class="toctree-l2"><a class="reference internal" href="../outgoing/localization.html">Localization</a></li>
<li class="toctree-l2"><a class="reference internal" href="../outgoing/alternative_php.html">Alternate PHP Syntax for View Files</a></li>
</ul>
</li>
</ul>
<ul>
<li class="toctree-l1"><a class="reference internal" href="../database/index.html">Working with Databases</a><ul>
<li class="toctree-l2"><a class="reference internal" href="../database/examples.html">Quick Start: Usage Examples</a></li>
<li class="toctree-l2"><a class="reference internal" href="../database/configuration.html">Database Configuration</a></li>
<li class="toctree-l2"><a class="reference internal" href="../database/connecting.html">Connecting to a Database</a></li>
<li class="toctree-l2"><a class="reference internal" href="../database/queries.html">Running Queries</a></li>
<li class="toctree-l2"><a class="reference internal" href="../database/results.html">Generating Query Results</a></li>
<li class="toctree-l2"><a class="reference internal" href="../database/helpers.html">Query Helper Methods</a></li>
<li class="toctree-l2"><a class="reference internal" href="../database/query_builder.html">Query Builder Class</a></li>
<li class="toctree-l2"><a class="reference internal" href="../database/transactions.html">Transactions</a></li>
<li class="toctree-l2"><a class="reference internal" href="../database/metadata.html">Getting Metadata</a></li>
<li class="toctree-l2"><a class="reference internal" href="../database/call_function.html">Custom Function Calls</a></li>
<li class="toctree-l2"><a class="reference internal" href="../database/events.html">Database Events</a></li>
<li class="toctree-l2"><a class="reference internal" href="../database/utilities.html">Database Utilities</a></li>
</ul>
</li>
</ul>
<ul>
<li class="toctree-l1"><a class="reference internal" href="../models/index.html">Modeling Data</a><ul>
<li class="toctree-l2"><a class="reference internal" href="../models/model.html">Using CodeIgniter's Model</a></li>
<li class="toctree-l2"><a class="reference internal" href="../models/entities.html">Using Entity Classes</a></li>
</ul>
</li>
</ul>
<ul>
<li class="toctree-l1"><a class="reference internal" href="../dbmgmt/index.html">Managing Databases</a><ul>
<li class="toctree-l2"><a class="reference internal" href="../dbmgmt/forge.html">Database Forge</a></li>
<li class="toctree-l2"><a class="reference internal" href="../dbmgmt/migration.html">Database Migrations</a></li>
<li class="toctree-l2"><a class="reference internal" href="../dbmgmt/seeds.html">Database Seeding</a></li>
<li class="toctree-l2"><a class="reference internal" href="../dbmgmt/db_commands.html">Database Commands</a></li>
</ul>
</li>
</ul>
<ul class="current">
<li class="toctree-l1 current"><a class="reference internal" href="index.html">Library Reference</a><ul class="current">
<li class="toctree-l2"><a class="reference internal" href="caching.html">Caching Driver</a></li>
<li class="toctree-l2"><a class="reference internal" href="cookies.html">Cookies</a></li>
<li class="toctree-l2"><a class="reference internal" href="cors.html">Cross-Origin Resource Sharing (CORS)</a></li>
<li class="toctree-l2"><a class="reference internal" href="curlrequest.html">CURLRequest Class</a></li>
<li class="toctree-l2"><a class="reference internal" href="email.html">Email Class</a></li>
<li class="toctree-l2"><a class="reference internal" href="encryption.html">Encryption Service</a></li>
<li class="toctree-l2"><a class="reference internal" href="files.html">Working with Files</a></li>
<li class="toctree-l2"><a class="reference internal" href="file_collections.html">File Collections</a></li>
<li class="toctree-l2"><a class="reference internal" href="honeypot.html">Honeypot Class</a></li>
<li class="toctree-l2"><a class="reference internal" href="images.html">Image Manipulation Class</a></li>
<li class="toctree-l2"><a class="reference internal" href="pagination.html">Pagination</a></li>
<li class="toctree-l2"><a class="reference internal" href="publisher.html">Publisher</a></li>
<li class="toctree-l2 current"><a class="current reference internal" href="#">Security</a></li>
<li class="toctree-l2"><a class="reference internal" href="sessions.html">Session Library</a></li>
<li class="toctree-l2"><a class="reference internal" href="throttler.html">Throttler</a></li>
<li class="toctree-l2"><a class="reference internal" href="time.html">Times and Dates</a></li>
<li class="toctree-l2"><a class="reference internal" href="typography.html">Typography</a></li>
<li class="toctree-l2"><a class="reference internal" href="uploaded_files.html">Working with Uploaded Files</a></li>
<li class="toctree-l2"><a class="reference internal" href="uri.html">Working with URIs</a></li>
<li class="toctree-l2"><a class="reference internal" href="user_agent.html">User Agent Class</a></li>
<li class="toctree-l2"><a class="reference internal" href="validation.html">Validation</a></li>
</ul>
</li>
</ul>
<ul>
<li class="toctree-l1"><a class="reference internal" href="../helpers/index.html">Helpers</a><ul>
<li class="toctree-l2"><a class="reference internal" href="../helpers/array_helper.html">Array Helper</a></li>
<li class="toctree-l2"><a class="reference internal" href="../helpers/cookie_helper.html">Cookie Helper</a></li>
<li class="toctree-l2"><a class="reference internal" href="../helpers/date_helper.html">Date Helper</a></li>
<li class="toctree-l2"><a class="reference internal" href="../helpers/filesystem_helper.html">Filesystem Helper</a></li>
<li class="toctree-l2"><a class="reference internal" href="../helpers/form_helper.html">Form Helper</a></li>
<li class="toctree-l2"><a class="reference internal" href="../helpers/html_helper.html">HTML Helper</a></li>
<li class="toctree-l2"><a class="reference internal" href="../helpers/inflector_helper.html">Inflector Helper</a></li>
<li class="toctree-l2"><a class="reference internal" href="../helpers/number_helper.html">Number Helper</a></li>
<li class="toctree-l2"><a class="reference internal" href="../helpers/security_helper.html">Security Helper</a></li>
<li class="toctree-l2"><a class="reference internal" href="../helpers/test_helper.html">Test Helper</a></li>
<li class="toctree-l2"><a class="reference internal" href="../helpers/text_helper.html">Text Helper</a></li>
<li class="toctree-l2"><a class="reference internal" href="../helpers/url_helper.html">URL Helper</a></li>
<li class="toctree-l2"><a class="reference internal" href="../helpers/xml_helper.html">XML Helper</a></li>
</ul>
</li>
</ul>
<ul>
<li class="toctree-l1"><a class="reference internal" href="../testing/index.html">Testing</a><ul>
<li class="toctree-l2"><a class="reference internal" href="../testing/overview.html">Getting Started</a></li>
<li class="toctree-l2"><a class="reference internal" href="../testing/database.html">Database</a></li>
<li class="toctree-l2"><a class="reference internal" href="../testing/fabricator.html">Generating Data</a></li>
<li class="toctree-l2"><a class="reference internal" href="../testing/controllers.html">Controller Testing</a></li>
<li class="toctree-l2"><a class="reference internal" href="../testing/feature.html">HTTP Testing</a></li>
<li class="toctree-l2"><a class="reference internal" href="../testing/response.html">Testing Responses</a></li>
<li class="toctree-l2"><a class="reference internal" href="../testing/cli.html">Testing CLI Commands</a></li>
<li class="toctree-l2"><a class="reference internal" href="../testing/mocking.html">Mocking</a></li>
<li class="toctree-l2"><a class="reference internal" href="../testing/benchmark.html">Benchmarking</a></li>
<li class="toctree-l2"><a class="reference internal" href="../testing/debugging.html">Debugging Your Application</a></li>
</ul>
</li>
</ul>
<ul>
<li class="toctree-l1"><a class="reference internal" href="../cli/index.html">Command Line Usage</a><ul>
<li class="toctree-l2"><a class="reference internal" href="../cli/cli_overview.html">CLI Overview</a></li>
<li class="toctree-l2"><a class="reference internal" href="../cli/cli_controllers.html">Running Controllers via CLI</a></li>
<li class="toctree-l2"><a class="reference internal" href="../cli/spark_commands.html">Spark Commands</a></li>
<li class="toctree-l2"><a class="reference internal" href="../cli/cli_commands.html">Creating Spark Commands</a></li>
<li class="toctree-l2"><a class="reference internal" href="../cli/cli_generators.html">CLI Generators</a></li>
<li class="toctree-l2"><a class="reference internal" href="../cli/cli_library.html">CLI Library</a></li>
<li class="toctree-l2"><a class="reference internal" href="../cli/cli_request.html">CLIRequest Class</a></li>
</ul>
</li>
</ul>
<ul>
<li class="toctree-l1"><a class="reference internal" href="../extending/index.html">Extending CodeIgniter</a><ul>
<li class="toctree-l2"><a class="reference internal" href="../extending/core_classes.html">Creating Core System Classes</a></li>
<li class="toctree-l2"><a class="reference internal" href="../extending/common.html">Replacing Common Functions</a></li>
<li class="toctree-l2"><a class="reference internal" href="../extending/events.html">Events</a></li>
<li class="toctree-l2"><a class="reference internal" href="../extending/basecontroller.html">Extending the Controller</a></li>
<li class="toctree-l2"><a class="reference internal" href="../extending/authentication.html">Authentication</a></li>
<li class="toctree-l2"><a class="reference internal" href="../extending/composer_packages.html">Creating Composer Packages</a></li>
<li class="toctree-l2"><a class="reference internal" href="../extending/contributing.html">Contributing to CodeIgniter</a></li>
</ul>
</li>
</ul>
<ul>
<li class="toctree-l1"><a class="reference internal" href="official_packages.html">Official Packages</a></li>
</ul>
</div>
</div>
</nav>
<section data-toggle="wy-nav-shift" class="wy-nav-content-wrap"><nav class="wy-nav-top" aria-label="Mobile navigation menu" >
<i data-toggle="wy-nav-top" class="fa fa-bars"></i>
<a href="../index.html">CodeIgniter</a>
</nav>
<div class="wy-nav-content">
<div class="rst-content">
<a class="btn btn-neutral float-right" href="https://github.com/codeigniter4/CodeIgniter4/edit/develop/user_guide_src/source/libraries/security.rst">Edit this page</a>
<div role="navigation" aria-label="Page navigation">
<ul class="wy-breadcrumbs">
<li><a href="../index.html" class="icon icon-home" aria-label="Home"></a></li>
<li class="breadcrumb-item"><a href="index.html">Library Reference</a></li>
<li class="breadcrumb-item active">Security</li>
<li class="wy-breadcrumbs-aside">
</li>
</ul>
<hr/>
</div>
<div role="main" class="document" itemscope="itemscope" itemtype="http://schema.org/Article">
<div itemprop="articleBody">
<section id="security">
<h1>Security<a class="headerlink" href="#security" title="Permalink to this heading"></a></h1>
<p>The Security Class contains methods that help protect your site against Cross-Site Request Forgery attacks.</p>
<nav class="contents local" id="contents">
<ul class="simple">
<li><p><a class="reference internal" href="#loading-the-library" id="id3">Loading the Library</a></p></li>
<li><p><a class="reference internal" href="#cross-site-request-forgery-csrf" id="id4">Cross-Site Request Forgery (CSRF)</a></p>
<ul>
<li><p><a class="reference internal" href="#prerequisite" id="id5">Prerequisite</a></p>
<ul>
<li><p><a class="reference internal" href="#when-auto-routing-is-disabled" id="id6">When Auto-Routing is Disabled</a></p></li>
<li><p><a class="reference internal" href="#when-auto-routing-is-enabled" id="id7">When Auto-Routing is Enabled</a></p></li>
</ul>
</li>
<li><p><a class="reference internal" href="#config-for-csrf" id="id8">Config for CSRF</a></p>
<ul>
<li><p><a class="reference internal" href="#csrf-protection-methods" id="id9">CSRF Protection Methods</a></p></li>
<li><p><a class="reference internal" href="#token-randomization" id="id10">Token Randomization</a></p></li>
<li><p><a class="reference internal" href="#token-regeneration" id="id11">Token Regeneration</a></p></li>
<li><p><a class="reference internal" href="#redirection-on-failure" id="id12">Redirection on Failure</a></p></li>
</ul>
</li>
<li><p><a class="reference internal" href="#enable-csrf-protection" id="id13">Enable CSRF Protection</a></p></li>
<li><p><a class="reference internal" href="#html-forms" id="id14">HTML Forms</a></p></li>
<li><p><a class="reference internal" href="#the-order-of-token-sent-by-users" id="id15">The Order of Token Sent by Users</a></p></li>
</ul>
</li>
<li><p><a class="reference internal" href="#other-helpful-methods" id="id16">Other Helpful Methods</a></p>
<ul>
<li><p><a class="reference internal" href="#sanitizefilename" id="id17">sanitizeFilename()</a></p></li>
</ul>
</li>
</ul>
</nav>
<section id="loading-the-library">
<h2><a class="toc-backref" href="#id3" role="doc-backlink">Loading the Library</a><a class="headerlink" href="#loading-the-library" title="Permalink to this heading"></a></h2>
<p>If your only interest in loading the library is to handle CSRF protection, then you will never need to load it,
as it runs as a filter and has no manual interaction.</p>
<p>If you find a case where you do need direct access though, you may load it through the Services file:</p>
<div class="highlight-html+php notranslate"><div class="highlight"><pre><span></span><span class="o">&lt;?</span><span class="nx">php</span>
<span class="nv">$security</span> <span class="o">=</span> <span class="nx">service</span><span class="p">(</span><span class="s1">&#39;security&#39;</span><span class="p">);</span>
</pre></div>
</div>
</section>
<section id="cross-site-request-forgery-csrf">
<span id="cross-site-request-forgery"></span><h2><a class="toc-backref" href="#id4" role="doc-backlink">Cross-Site Request Forgery (CSRF)</a><a class="headerlink" href="#cross-site-request-forgery-csrf" title="Permalink to this heading"></a></h2>
<div class="admonition warning">
<p class="admonition-title">Warning</p>
<p>The CSRF Protection is only available for <strong>POST/PUT/PATCH/DELETE</strong> requests.
Requests for other methods are not protected.</p>
</div>
<section id="prerequisite">
<h3><a class="toc-backref" href="#id5" role="doc-backlink">Prerequisite</a><a class="headerlink" href="#prerequisite" title="Permalink to this heading"></a></h3>
<p>When you use the CodeIgniters CSRF protection, you still need to code as the following.
Otherwise, the CSRF protection may be bypassed.</p>
<section id="when-auto-routing-is-disabled">
<h4><a class="toc-backref" href="#id6" role="doc-backlink">When Auto-Routing is Disabled</a><a class="headerlink" href="#when-auto-routing-is-disabled" title="Permalink to this heading"></a></h4>
<p>Do one of the following:</p>
<ol class="arabic simple">
<li><p>Do not use <code class="docutils literal notranslate"><span class="pre">$routes-&gt;add()</span></code>, and use HTTP verbs in routes.</p></li>
<li><p>Check the request method in the controller method before processing.</p></li>
</ol>
<p>E.g.:</p>
<div class="highlight-html+php notranslate"><div class="highlight"><pre><span></span><span class="k">if</span> <span class="p">(</span><span class="o">!</span> <span class="nv">$this</span><span class="o">-&gt;</span><span class="na">request</span><span class="o">-&gt;</span><span class="na">is</span><span class="p">(</span><span class="s1">&#39;post&#39;</span><span class="p">))</span> <span class="p">{</span>
<span class="k">return</span> <span class="nv">$this</span><span class="o">-&gt;</span><span class="na">response</span><span class="o">-&gt;</span><span class="na">setStatusCode</span><span class="p">(</span><span class="mi">405</span><span class="p">)</span><span class="o">-&gt;</span><span class="na">setBody</span><span class="p">(</span><span class="s1">&#39;Method Not Allowed&#39;</span><span class="p">);</span>
<span class="p">}</span>
</pre></div>
</div>
<div class="admonition note">
<p class="admonition-title">Note</p>
<p>The <a class="reference internal" href="../incoming/incomingrequest.html#incomingrequest-is"><span class="std std-ref">$this-&gt;request-&gt;is()</span></a> method can be used since v4.3.0.
In previous versions, you need to use
<code class="docutils literal notranslate"><span class="pre">if</span> <span class="pre">(strtolower($this-&gt;request-&gt;getMethod())</span> <span class="pre">!==</span> <span class="pre">'post')</span></code>.</p>
</div>
</section>
<section id="when-auto-routing-is-enabled">
<h4><a class="toc-backref" href="#id7" role="doc-backlink">When Auto-Routing is Enabled</a><a class="headerlink" href="#when-auto-routing-is-enabled" title="Permalink to this heading"></a></h4>
<ol class="arabic simple">
<li><p>Check the request method in the controller method before processing.</p></li>
</ol>
<p>E.g.:</p>
<div class="highlight-html+php notranslate"><div class="highlight"><pre><span></span><span class="k">if</span> <span class="p">(</span><span class="o">!</span> <span class="nv">$this</span><span class="o">-&gt;</span><span class="na">request</span><span class="o">-&gt;</span><span class="na">is</span><span class="p">(</span><span class="s1">&#39;post&#39;</span><span class="p">))</span> <span class="p">{</span>
<span class="k">return</span> <span class="nv">$this</span><span class="o">-&gt;</span><span class="na">response</span><span class="o">-&gt;</span><span class="na">setStatusCode</span><span class="p">(</span><span class="mi">405</span><span class="p">)</span><span class="o">-&gt;</span><span class="na">setBody</span><span class="p">(</span><span class="s1">&#39;Method Not Allowed&#39;</span><span class="p">);</span>
<span class="p">}</span>
</pre></div>
</div>
</section>
</section>
<section id="config-for-csrf">
<h3><a class="toc-backref" href="#id8" role="doc-backlink">Config for CSRF</a><a class="headerlink" href="#config-for-csrf" title="Permalink to this heading"></a></h3>
<section id="csrf-protection-methods">
<span id="id1"></span><h4><a class="toc-backref" href="#id9" role="doc-backlink">CSRF Protection Methods</a><a class="headerlink" href="#csrf-protection-methods" title="Permalink to this heading"></a></h4>
<div class="admonition warning">
<p class="admonition-title">Warning</p>
<p>If you use <a class="reference internal" href="sessions.html"><span class="doc">Session</span></a>, be sure to use Session based
CSRF protection. Cookie based CSRF protection will not prevent Same-site attacks.
See
<a class="reference external" href="https://github.com/codeigniter4/shield/security/advisories/GHSA-5hm8-vh6r-2cjq">GHSA-5hm8-vh6r-2cjq</a>
for details.</p>
</div>
<p>By default, the Cookie based CSRF Protection is used. It is
<a class="reference external" href="https://cheatsheetseries.owasp.org/cheatsheets/Cross-Site_Request_Forgery_Prevention_Cheat_Sheet.html#double-submit-cookie">Double Submit Cookie</a>
on OWASP Cross-Site Request Forgery Prevention Cheat Sheet.</p>
<p>You can also use Session based CSRF Protection. It is
<a class="reference external" href="https://cheatsheetseries.owasp.org/cheatsheets/Cross-Site_Request_Forgery_Prevention_Cheat_Sheet.html#synchronizer-token-pattern">Synchronizer Token Pattern</a>.</p>
<p>You can set to use the Session based CSRF protection by editing the following config parameter value in
<strong>app/Config/Security.php</strong>:</p>
<div class="highlight-html+php notranslate"><div class="highlight"><pre><span></span><span class="o">&lt;?</span><span class="nx">php</span>
<span class="k">namespace</span> <span class="nx">Config</span><span class="p">;</span>
<span class="k">use</span> <span class="nx">CodeIgniter\Config\BaseConfig</span><span class="p">;</span>
<span class="k">class</span> <span class="nc">Security</span> <span class="k">extends</span> <span class="nx">BaseConfig</span>
<span class="p">{</span>
<span class="k">public</span> <span class="nv">$csrfProtection</span> <span class="o">=</span> <span class="s1">&#39;session&#39;</span><span class="p">;</span>
<span class="c1">// ...</span>
<span class="p">}</span>
</pre></div>
</div>
</section>
<section id="token-randomization">
<h4><a class="toc-backref" href="#id10" role="doc-backlink">Token Randomization</a><a class="headerlink" href="#token-randomization" title="Permalink to this heading"></a></h4>
<p>To mitigate compression side-channel attacks like <a class="reference external" href="https://en.wikipedia.org/wiki/BREACH">BREACH</a>, and prevent an attacker from guessing the CSRF tokens, you can configure token randomization (off by default).</p>
<p>If you enable it, a random mask is added to the token and used to scramble it.</p>
<p>You can enable it by editing the following config parameter value in
<strong>app/Config/Security.php</strong>:</p>
<div class="highlight-html+php notranslate"><div class="highlight"><pre><span></span><span class="o">&lt;?</span><span class="nx">php</span>
<span class="k">namespace</span> <span class="nx">Config</span><span class="p">;</span>
<span class="k">use</span> <span class="nx">CodeIgniter\Config\BaseConfig</span><span class="p">;</span>
<span class="k">class</span> <span class="nc">Security</span> <span class="k">extends</span> <span class="nx">BaseConfig</span>
<span class="p">{</span>
<span class="k">public</span> <span class="nv">$tokenRandomize</span> <span class="o">=</span> <span class="k">true</span><span class="p">;</span>
<span class="c1">// ...</span>
<span class="p">}</span>
</pre></div>
</div>
</section>
<section id="token-regeneration">
<h4><a class="toc-backref" href="#id11" role="doc-backlink">Token Regeneration</a><a class="headerlink" href="#token-regeneration" title="Permalink to this heading"></a></h4>
<p>Tokens may be either regenerated on every submission (default) or
kept the same throughout the life of the Session or CSRF cookie.</p>
<p>The default
regeneration of tokens provides stricter security, but may result
in usability concerns as other tokens become invalid (back/forward
navigation, multiple tabs/windows, asynchronous actions, etc). You
may alter this behavior by editing the following config parameter value in
<strong>app/Config/Security.php</strong>:</p>
<div class="highlight-html+php notranslate"><div class="highlight"><pre><span></span><span class="o">&lt;?</span><span class="nx">php</span>
<span class="k">namespace</span> <span class="nx">Config</span><span class="p">;</span>
<span class="k">use</span> <span class="nx">CodeIgniter\Config\BaseConfig</span><span class="p">;</span>
<span class="k">class</span> <span class="nc">Security</span> <span class="k">extends</span> <span class="nx">BaseConfig</span>
<span class="p">{</span>
<span class="k">public</span> <span class="nv">$regenerate</span> <span class="o">=</span> <span class="k">true</span><span class="p">;</span>
<span class="c1">// ...</span>
<span class="p">}</span>
</pre></div>
</div>
<div class="admonition warning">
<p class="admonition-title">Warning</p>
<p>If you use Cookie based CSRF protection, and <a class="reference internal" href="../general/common_functions.html#redirect" title="redirect"><code class="xref php php-func docutils literal notranslate"><span class="pre">redirect()</span></code></a>
after the submission, you must call <code class="docutils literal notranslate"><span class="pre">withCookie()</span></code> to send the regenerated
CSRF cookie. See <a class="reference internal" href="../outgoing/response.html#response-redirect"><span class="std std-ref">Redirect</span></a> for details.</p>
</div>
<div class="admonition note">
<p class="admonition-title">Note</p>
<p>Since v4.2.3, you can regenerate CSRF token manually with the
<code class="docutils literal notranslate"><span class="pre">Security::generateHash()</span></code> method.</p>
</div>
</section>
<section id="redirection-on-failure">
<span id="csrf-redirection-on-failure"></span><h4><a class="toc-backref" href="#id12" role="doc-backlink">Redirection on Failure</a><a class="headerlink" href="#redirection-on-failure" title="Permalink to this heading"></a></h4>
<p>Starting with v4.5.0, when a request fails the CSRF validation check, by default,
the user is redirected to the previous page in production environment, or a
SecurityException is thrown in other environments.</p>
<div class="admonition note">
<p class="admonition-title">Note</p>
<p>In production environment, when you use HTML forms, it is recommended
to enable this redirection for a better user experience.</p>
<p>Upgrade users should check their configuration files.</p>
</div>
<p>If you want to make it redirect to the previous page, set the following config
parameter value to <code class="docutils literal notranslate"><span class="pre">true</span></code> in <strong>app/Config/Security.php</strong>:</p>
<div class="highlight-html+php notranslate"><div class="highlight"><pre><span></span><span class="o">&lt;?</span><span class="nx">php</span>
<span class="k">namespace</span> <span class="nx">Config</span><span class="p">;</span>
<span class="k">use</span> <span class="nx">CodeIgniter\Config\BaseConfig</span><span class="p">;</span>
<span class="k">class</span> <span class="nc">Security</span> <span class="k">extends</span> <span class="nx">BaseConfig</span>
<span class="p">{</span>
<span class="c1">// ...</span>
<span class="k">public</span> <span class="nx">bool</span> <span class="nv">$redirect</span> <span class="o">=</span> <span class="k">true</span><span class="p">;</span>
<span class="c1">// ...</span>
<span class="p">}</span>
</pre></div>
</div>
<p>When redirected, an <code class="docutils literal notranslate"><span class="pre">error</span></code> flash message is set and can be displayed to the end user with the following code in your view:</p>
<div class="highlight-html+php notranslate"><div class="highlight"><pre><span></span><span class="o">&lt;?=</span> <span class="nx">session</span><span class="p">()</span><span class="o">-&gt;</span><span class="na">getFlashdata</span><span class="p">(</span><span class="s1">&#39;error&#39;</span><span class="p">)</span> <span class="cp">?&gt;</span>
</pre></div>
</div>
<p>This provides a nicer experience than simply crashing.</p>
<p>Even when the redirect value is <code class="docutils literal notranslate"><span class="pre">true</span></code>, AJAX calls will not redirect, but will throw a SecurityException.</p>
</section>
</section>
<section id="enable-csrf-protection">
<span id="id2"></span><h3><a class="toc-backref" href="#id13" role="doc-backlink">Enable CSRF Protection</a><a class="headerlink" href="#enable-csrf-protection" title="Permalink to this heading"></a></h3>
<p>You can enable CSRF protection by altering your <strong>app/Config/Filters.php</strong>
and enabling the <cite>csrf</cite> filter globally:</p>
<div class="highlight-html+php notranslate"><div class="highlight"><pre><span></span><span class="o">&lt;?</span><span class="nx">php</span>
<span class="k">namespace</span> <span class="nx">Config</span><span class="p">;</span>
<span class="k">use</span> <span class="nx">CodeIgniter\Config\BaseConfig</span><span class="p">;</span>
<span class="k">class</span> <span class="nc">Filters</span> <span class="k">extends</span> <span class="nx">BaseConfig</span>
<span class="p">{</span>
<span class="k">public</span> <span class="nv">$globals</span> <span class="o">=</span> <span class="p">[</span>
<span class="s1">&#39;before&#39;</span> <span class="o">=&gt;</span> <span class="p">[</span>
<span class="c1">// &#39;honeypot&#39;,</span>
<span class="s1">&#39;csrf&#39;</span><span class="p">,</span>
<span class="p">],</span>
<span class="p">];</span>
<span class="c1">// ...</span>
<span class="p">}</span>
</pre></div>
</div>
<p>Select URIs can be whitelisted from CSRF protection (for example API
endpoints expecting externally POSTed content). You can add these URIs
by adding them as exceptions in the filter:</p>
<div class="highlight-html+php notranslate"><div class="highlight"><pre><span></span><span class="o">&lt;?</span><span class="nx">php</span>
<span class="k">namespace</span> <span class="nx">Config</span><span class="p">;</span>
<span class="k">use</span> <span class="nx">CodeIgniter\Config\BaseConfig</span><span class="p">;</span>
<span class="k">class</span> <span class="nc">Filters</span> <span class="k">extends</span> <span class="nx">BaseConfig</span>
<span class="p">{</span>
<span class="k">public</span> <span class="nv">$globals</span> <span class="o">=</span> <span class="p">[</span>
<span class="s1">&#39;before&#39;</span> <span class="o">=&gt;</span> <span class="p">[</span>
<span class="s1">&#39;csrf&#39;</span> <span class="o">=&gt;</span> <span class="p">[</span><span class="s1">&#39;except&#39;</span> <span class="o">=&gt;</span> <span class="p">[</span><span class="s1">&#39;api/record/save&#39;</span><span class="p">]],</span>
<span class="p">],</span>
<span class="p">];</span>
<span class="c1">// ...</span>
<span class="p">}</span>
</pre></div>
</div>
<p>Regular expressions are also supported (case-insensitive):</p>
<div class="highlight-html+php notranslate"><div class="highlight"><pre><span></span><span class="o">&lt;?</span><span class="nx">php</span>
<span class="k">namespace</span> <span class="nx">Config</span><span class="p">;</span>
<span class="k">use</span> <span class="nx">CodeIgniter\Config\BaseConfig</span><span class="p">;</span>
<span class="k">class</span> <span class="nc">Filters</span> <span class="k">extends</span> <span class="nx">BaseConfig</span>
<span class="p">{</span>
<span class="k">public</span> <span class="nv">$globals</span> <span class="o">=</span> <span class="p">[</span>
<span class="s1">&#39;before&#39;</span> <span class="o">=&gt;</span> <span class="p">[</span>
<span class="s1">&#39;csrf&#39;</span> <span class="o">=&gt;</span> <span class="p">[</span><span class="s1">&#39;except&#39;</span> <span class="o">=&gt;</span> <span class="p">[</span><span class="s1">&#39;api/record/[0-9]+&#39;</span><span class="p">]],</span>
<span class="p">],</span>
<span class="p">];</span>
<span class="c1">// ...</span>
<span class="p">}</span>
</pre></div>
</div>
<p>It is also possible to enable the CSRF filter only for specific methods:</p>
<div class="highlight-html+php notranslate"><div class="highlight"><pre><span></span><span class="o">&lt;?</span><span class="nx">php</span>
<span class="k">namespace</span> <span class="nx">Config</span><span class="p">;</span>
<span class="k">use</span> <span class="nx">CodeIgniter\Config\BaseConfig</span><span class="p">;</span>
<span class="k">class</span> <span class="nc">Filters</span> <span class="k">extends</span> <span class="nx">BaseConfig</span>
<span class="p">{</span>
<span class="k">public</span> <span class="nv">$methods</span> <span class="o">=</span> <span class="p">[</span>
<span class="s1">&#39;GET&#39;</span> <span class="o">=&gt;</span> <span class="p">[</span><span class="s1">&#39;csrf&#39;</span><span class="p">],</span>
<span class="s1">&#39;POST&#39;</span> <span class="o">=&gt;</span> <span class="p">[</span><span class="s1">&#39;csrf&#39;</span><span class="p">],</span>
<span class="p">];</span>
<span class="c1">// ...</span>
<span class="p">}</span>
</pre></div>
</div>
<div class="admonition warning">
<p class="admonition-title">Warning</p>
<p>If you use <code class="docutils literal notranslate"><span class="pre">$methods</span></code> filters, you should <a class="reference internal" href="../incoming/routing.html#use-defined-routes-only"><span class="std std-ref">disable Auto Routing (Legacy)</span></a>
because <a class="reference internal" href="../incoming/routing.html#auto-routing-legacy"><span class="std std-ref">Auto Routing (Legacy)</span></a> permits any HTTP method to access a controller.
Accessing the controller with a method you dont expect could bypass the filter.</p>
</div>
</section>
<section id="html-forms">
<h3><a class="toc-backref" href="#id14" role="doc-backlink">HTML Forms</a><a class="headerlink" href="#html-forms" title="Permalink to this heading"></a></h3>
<p>If you use the <a class="reference internal" href="../helpers/form_helper.html"><span class="doc">form helper</span></a>, then
<code class="xref py py-func docutils literal notranslate"><span class="pre">form_open()</span></code> will automatically insert a hidden csrf field in
your forms.</p>
<div class="admonition note">
<p class="admonition-title">Note</p>
<p>To use auto-generation of CSRF field, you need to turn CSRF filter on to the form page.
In most cases it is requested using the <code class="docutils literal notranslate"><span class="pre">GET</span></code> method.</p>
</div>
<p>If not, then you can use the always available <code class="docutils literal notranslate"><span class="pre">csrf_token()</span></code>
and <code class="docutils literal notranslate"><span class="pre">csrf_hash()</span></code> functions</p>
<div class="highlight-html+php notranslate"><div class="highlight"><pre><span></span><span class="o">&lt;</span><span class="nx">input</span> <span class="nx">type</span><span class="o">=</span><span class="s2">&quot;hidden&quot;</span> <span class="nx">name</span><span class="o">=</span><span class="s2">&quot;&lt;?= csrf_token() ?&gt;&quot;</span> <span class="nx">value</span><span class="o">=</span><span class="s2">&quot;&lt;?= csrf_hash() ?&gt;&quot;</span> <span class="o">/&gt;</span>
</pre></div>
</div>
<p>Additionally, you can use the <code class="docutils literal notranslate"><span class="pre">csrf_field()</span></code> method to generate this
hidden input field for you:</p>
<div class="highlight-html+php notranslate"><div class="highlight"><pre><span></span><span class="c1">// Generates: &lt;input type=&quot;hidden&quot; name=&quot;{csrf_token}&quot; value=&quot;{csrf_hash}&quot; /&gt;</span>
<span class="o">&lt;?=</span> <span class="nx">csrf_field</span><span class="p">()</span> <span class="cp">?&gt;</span>
</pre></div>
</div>
<p>When sending a JSON request the CSRF token can also be passed as one of the parameters.
The next way to pass the CSRF token is a special Http header thats name is available by
<code class="docutils literal notranslate"><span class="pre">csrf_header()</span></code> function.</p>
<p>Additionally, you can use the <code class="docutils literal notranslate"><span class="pre">csrf_meta()</span></code> method to generate this handy
meta tag for you:</p>
<div class="highlight-html+php notranslate"><div class="highlight"><pre><span></span><span class="c1">// Generates: &lt;meta name=&quot;{csrf_header}&quot; content=&quot;{csrf_hash}&quot; /&gt;</span>
<span class="o">&lt;?=</span> <span class="nx">csrf_meta</span><span class="p">()</span> <span class="cp">?&gt;</span>
</pre></div>
</div>
</section>
<section id="the-order-of-token-sent-by-users">
<h3><a class="toc-backref" href="#id15" role="doc-backlink">The Order of Token Sent by Users</a><a class="headerlink" href="#the-order-of-token-sent-by-users" title="Permalink to this heading"></a></h3>
<p>The order of checking the availability of the CSRF token is as follows:</p>
<ol class="arabic simple">
<li><p><code class="docutils literal notranslate"><span class="pre">$_POST</span></code> array</p></li>
<li><p>HTTP header</p></li>
<li><p><code class="docutils literal notranslate"><span class="pre">php://input</span></code> (JSON request) - bear in mind that this approach is the slowest one since we have to decode JSON and then re-encode it</p></li>
<li><p><code class="docutils literal notranslate"><span class="pre">php://input</span></code> (raw body) - for PUT, PATCH, and DELETE type of requests</p></li>
</ol>
<div class="admonition note">
<p class="admonition-title">Note</p>
<p><code class="docutils literal notranslate"><span class="pre">php://input</span></code> (raw body) is checked since v4.4.2.</p>
</div>
</section>
</section>
<section id="other-helpful-methods">
<h2><a class="toc-backref" href="#id16" role="doc-backlink">Other Helpful Methods</a><a class="headerlink" href="#other-helpful-methods" title="Permalink to this heading"></a></h2>
<p>You will never need to use most of the methods in the Security class directly. The following are methods that
you might find helpful that are not related to the CSRF protection.</p>
<section id="sanitizefilename">
<h3><a class="toc-backref" href="#id17" role="doc-backlink">sanitizeFilename()</a><a class="headerlink" href="#sanitizefilename" title="Permalink to this heading"></a></h3>
<p>Tries to sanitize filenames in order to prevent directory traversal attempts and other security threats, which is
particularly useful for files that were supplied via user input. The first parameter is the path to sanitize.</p>
<p>If it is acceptable for the user input to include relative paths, e.g., <strong>file/in/some/approved/folder.txt</strong>, you can set
the second optional parameter, <code class="docutils literal notranslate"><span class="pre">$relativePath</span></code> to <code class="docutils literal notranslate"><span class="pre">true</span></code>.</p>
<div class="highlight-html+php notranslate"><div class="highlight"><pre><span></span><span class="o">&lt;?</span><span class="nx">php</span>
<span class="nv">$path</span> <span class="o">=</span> <span class="nv">$security</span><span class="o">-&gt;</span><span class="na">sanitizeFilename</span><span class="p">(</span><span class="nv">$request</span><span class="o">-&gt;</span><span class="na">getVar</span><span class="p">(</span><span class="s1">&#39;filepath&#39;</span><span class="p">));</span>
</pre></div>
</div>
</section>
</section>
</section>
</div>
</div>
<footer><div class="rst-footer-buttons" role="navigation" aria-label="Footer">
<a href="publisher.html" class="btn btn-neutral float-left" title="Publisher" accesskey="p" rel="prev"><span class="fa fa-arrow-circle-left" aria-hidden="true"></span> Previous</a>
<a href="sessions.html" class="btn btn-neutral float-right" title="Session Library" accesskey="n" rel="next">Next <span class="fa fa-arrow-circle-right" aria-hidden="true"></span></a>
</div>
<hr/>
<div role="contentinfo">
<p>&#169; Copyright 2019-2025 CodeIgniter Foundation.
<span class="lastupdated">Last updated on Feb 07, 2025.
</span></p>
</div>
Built with <a href="https://www.sphinx-doc.org/">Sphinx</a> using a
<a href="https://github.com/readthedocs/sphinx_rtd_theme">theme</a>
provided by <a href="https://readthedocs.org">Read the Docs</a>.
</footer>
</div>
</div>
</section>
</div>
<script>
jQuery(function () {
SphinxRtdTheme.Navigation.enable(false);
});
</script>
</body>
</html>
Reference in New Issue View Git Blame Copy Permalink