malhuda/CodeIgniter4
1
0
Fork 0
mirror of https://github.com/codeigniter4/CodeIgniter4.git synced 2025-02-20 11:44:28 +08:00
Code Issues Actions Packages Projects Releases Wiki Activity
CodeIgniter4/libraries/security.html
Jim Parry 3d1ceaf2bb
Docbot synching
2018-12-30 20:23:53 -08:00

382 lines
16 KiB
HTML
Raw Blame History

<!DOCTYPE html>
<!--[if IE 8]><html class="no-js lt-ie9" lang="en" > <![endif]-->
<!--[if gt IE 8]><!--> <html class="no-js" lang="en" > <!--<![endif]-->
<head>
<meta charset="utf-8">
<meta name="viewport" content="width=device-width, initial-scale=1.0">
<title>Security Class &mdash; CodeIgniter4 4.0.0-alpha.4 documentation</title>
<link rel="shortcut icon" href="../_static/ci-icon.ico"/>
<link rel="stylesheet" href="../_static/css/citheme.css" type="text/css" />
<link rel="top" title="CodeIgniter4 4.0.0-alpha.4 documentation" href="../index.html"/>
<link rel="up" title="Library Reference" href="index.html"/>
<link rel="next" title="Session Library" href="sessions.html"/>
<link rel="prev" title="Pagination" href="pagination.html"/>
<script src="../_static/js/modernizr.min.js"></script>
</head>
<body class="wy-body-for-nav" role="document">
<div class="wy-grid-for-nav">
<nav data-toggle="wy-nav-shift" class="wy-nav-side">
<div class="wy-side-scroll">
<div class="wy-side-nav-search">
<a href="../index.html" class="icon icon-home"> CodeIgniter4
</a>
<div role="search">
<form id="rtd-search-form" class="wy-form" action="../search.html" method="get">
<input type="text" name="q" placeholder="Search docs" />
<input type="hidden" name="check_keywords" value="yes" />
<input type="hidden" name="area" value="default" />
</form>
</div>
</div>
<div class="wy-menu wy-menu-vertical" data-spy="affix" role="navigation" aria-label="main navigation">
<ul>
<li class="toctree-l1"><a class="reference internal" href="../intro/index.html">Welcome to CodeIgniter4</a></li>
</ul>
<ul>
<li class="toctree-l1"><a class="reference internal" href="../installation/index.html">Installation</a></li>
</ul>
<ul>
<li class="toctree-l1"><a class="reference internal" href="../tutorial/index.html">Tutorial</a></li>
</ul>
<ul>
<li class="toctree-l1"><a class="reference internal" href="../concepts/index.html">CodeIgniter4 Overview</a></li>
</ul>
<ul>
<li class="toctree-l1"><a class="reference internal" href="../general/index.html">General Topics</a></li>
</ul>
<ul>
<li class="toctree-l1"><a class="reference internal" href="../incoming/index.html">Controllers and Routing</a></li>
</ul>
<ul>
<li class="toctree-l1"><a class="reference internal" href="../outgoing/index.html">Building Responses</a></li>
</ul>
<ul>
<li class="toctree-l1"><a class="reference internal" href="../database/index.html">Working With Databases</a></li>
</ul>
<ul>
<li class="toctree-l1"><a class="reference internal" href="../models/index.html">Modeling Data</a></li>
</ul>
<ul>
<li class="toctree-l1"><a class="reference internal" href="../dbmgmt/index.html">Managing Databases</a></li>
</ul>
<ul class="current">
<li class="toctree-l1 current"><a class="reference internal" href="index.html">Library Reference</a><ul class="current">
<li class="toctree-l2"><a class="reference internal" href="caching.html">Caching Driver</a></li>
<li class="toctree-l2"><a class="reference internal" href="curlrequest.html">CURLRequest Class</a></li>
<li class="toctree-l2"><a class="reference internal" href="email.html">Email Class</a></li>
<li class="toctree-l2"><a class="reference internal" href="files.html">Working with Files</a></li>
<li class="toctree-l2"><a class="reference internal" href="honeypot.html">Honeypot Class</a></li>
<li class="toctree-l2"><a class="reference internal" href="images.html">Image Manipulation Class</a></li>
<li class="toctree-l2"><a class="reference internal" href="pagination.html">Pagination</a></li>
<li class="toctree-l2 current"><a class="current reference internal" href="#">Security Class</a></li>
<li class="toctree-l2"><a class="reference internal" href="sessions.html">Session Library</a></li>
<li class="toctree-l2"><a class="reference internal" href="throttler.html">Throttler</a></li>
<li class="toctree-l2"><a class="reference internal" href="time.html">Dates and Times</a></li>
<li class="toctree-l2"><a class="reference internal" href="typography.html">Typography</a></li>
<li class="toctree-l2"><a class="reference internal" href="uploaded_files.html">Working with Uploaded Files</a></li>
<li class="toctree-l2"><a class="reference internal" href="uri.html">Working with URIs</a></li>
<li class="toctree-l2"><a class="reference internal" href="user_agent.html">User Agent Class</a></li>
<li class="toctree-l2"><a class="reference internal" href="validation.html">Validation</a></li>
</ul>
</li>
</ul>
<ul>
<li class="toctree-l1"><a class="reference internal" href="../helpers/index.html">Helpers</a></li>
</ul>
<ul>
<li class="toctree-l1"><a class="reference internal" href="../testing/index.html">Testing</a></li>
</ul>
<ul>
<li class="toctree-l1"><a class="reference internal" href="../cli/index.html">Command Line Usage</a></li>
</ul>
<ul>
<li class="toctree-l1"><a class="reference internal" href="../extending/index.html">Extending CodeIgniter</a></li>
</ul>
<ul>
<li class="toctree-l1"><a class="reference internal" href="../license.html">The MIT License (MIT)</a></li>
<li class="toctree-l1"><a class="reference internal" href="../changelogs/index.html">Change Logs</a></li>
</ul>
</div>
</div>
</nav>
<section data-toggle="wy-nav-shift" class="wy-nav-content-wrap">
<nav class="wy-nav-top" role="navigation" aria-label="top navigation">
<i data-toggle="wy-nav-top" class="fa fa-bars"></i>
<a href="../index.html">CodeIgniter4</a>
</nav>
<div class="wy-nav-content">
<div class="rst-content">
<div role="navigation" aria-label="breadcrumbs navigation">
<ul class="wy-breadcrumbs">
<li><a href="../index.html">Docs</a> &raquo;</li>
<li><a href="index.html">Library Reference</a> &raquo;</li>
<li>Security Class</li>
<li class="wy-breadcrumbs-aside">
</li>
</ul>
<hr/>
</div>
<div role="main" class="document" itemscope="itemscope" itemtype="http://schema.org/Article">
<div itemprop="articleBody">
<div class="section" id="security-class">
<h1>Security Class<a class="headerlink" href="#security-class" title="Permalink to this headline"></a></h1>
<p>The Security Class contains methods that help protect your site against Cross-Site Request Forgery attacks.</p>
<div class="contents local topic" id="contents">
<ul class="simple">
<li><a class="reference internal" href="#loading-the-library" id="id1">Loading the Library</a></li>
<li><a class="reference internal" href="#cross-site-request-forgery-csrf" id="id2">Cross-site request forgery (CSRF)</a></li>
<li><a class="reference internal" href="#other-helpful-methods" id="id3">Other Helpful Methods</a></li>
</ul>
</div>
<div class="section" id="loading-the-library">
<h2><a class="toc-backref" href="#id1">Loading the Library</a><a class="headerlink" href="#loading-the-library" title="Permalink to this headline"></a></h2>
<p>If your only interest in loading the library is to handle CSRF protection, then you will never need to load it,
as it runs as a filter and has no manual interaction.</p>
<p>If you find a case where you do need direct access though, you may load it through the Services file:</p>
<div class="highlight-ci"><div class="highlight"><pre><span></span><span class="nv">$security</span> <span class="o">=</span> <span class="nx">\Config\Services</span><span class="o">::</span><span class="na">security</span><span class="p">();</span>
</pre></div>
</div>
</div>
<div class="section" id="cross-site-request-forgery-csrf">
<h2><a class="toc-backref" href="#id2">Cross-site request forgery (CSRF)</a><a class="headerlink" href="#cross-site-request-forgery-csrf" title="Permalink to this headline"></a></h2>
<p>You can enable CSRF protection by altering your <strong>app/Config/Filters.php</strong>
and enabling the <cite>csrf</cite> filter globally:</p>
<div class="highlight-ci"><div class="highlight"><pre><span></span><span class="k">public</span> <span class="nv">$globals</span> <span class="o">=</span> <span class="p">[</span>
<span class="s1">&#39;before&#39;</span> <span class="o">=&gt;</span> <span class="p">[</span>
<span class="s1">&#39;csrf&#39;</span>
<span class="p">]</span>
<span class="p">];</span>
</pre></div>
</div>
<p>Select URIs can be whitelisted from CSRF protection (for example API
endpoints expecting externally POSTed content). You can add these URIs
by adding them as exceptions in the filter:</p>
<div class="highlight-ci"><div class="highlight"><pre><span></span><span class="k">public</span> <span class="nv">$globals</span> <span class="o">=</span> <span class="p">[</span>
<span class="s1">&#39;before&#39;</span> <span class="o">=&gt;</span> <span class="p">[</span>
<span class="s1">&#39;csrf&#39;</span> <span class="o">=&gt;</span> <span class="p">[</span><span class="s1">&#39;except&#39;</span> <span class="o">=&gt;</span> <span class="p">[</span><span class="s1">&#39;api/record/save&#39;</span><span class="p">]]</span>
<span class="p">]</span>
<span class="p">];</span>
</pre></div>
</div>
<p>Regular expressions are also supported (case-insensitive):</p>
<div class="highlight-ci"><div class="highlight"><pre><span></span><span class="k">public</span> <span class="nv">$globals</span> <span class="o">=</span> <span class="p">[</span>
<span class="s1">&#39;before&#39;</span> <span class="o">=&gt;</span> <span class="p">[</span>
<span class="s1">&#39;csrf&#39;</span> <span class="o">=&gt;</span> <span class="p">[</span><span class="s1">&#39;except&#39;</span> <span class="o">=&gt;</span> <span class="p">[</span><span class="s1">&#39;api/record/[0-9]+&#39;</span><span class="p">]]</span>
<span class="p">]</span>
<span class="p">];</span>
</pre></div>
</div>
<p>If you use the <a class="reference internal" href="../helpers/form_helper.html"><span class="doc">form helper</span></a>, then
<code class="xref py py-func docutils literal"><span class="pre">form_open()</span></code> will automatically insert a hidden csrf field in
your forms. If not, then you can use the always available <code class="docutils literal"><span class="pre">csrf_token()</span></code>
and <code class="docutils literal"><span class="pre">csrf_hash()</span></code> functions</p>
<div class="highlight-ci"><div class="highlight"><pre><span></span><span class="o">&lt;</span><span class="nx">input</span> <span class="nx">type</span><span class="o">=</span><span class="s2">&quot;hidden&quot;</span> <span class="nx">name</span><span class="o">=</span><span class="s2">&quot;&lt;?= csrf_token() ?&gt;&quot;</span> <span class="nx">value</span><span class="o">=</span><span class="s2">&quot;&lt;?= csrf_hash() ?&gt;&quot;</span> <span class="o">/&gt;</span>
</pre></div>
</div>
<p>Additionally, you can use the <code class="docutils literal"><span class="pre">csrf_field()</span></code> method to generate this
hidden input field for you:</p>
<div class="highlight-ci"><div class="highlight"><pre><span></span><span class="c1">// Generates: &lt;input type=&quot;hidden&quot; name=&quot;{csrf_token}&quot; value=&quot;{csrf_hash}&quot; /&gt;</span>
<span class="o">&lt;?=</span> <span class="nx">csrf_field</span><span class="p">()</span> <span class="cp">?&gt;</span>
</pre></div>
</div>
<p>Tokens may be either regenerated on every submission (default) or
kept the same throughout the life of the CSRF cookie. The default
regeneration of tokens provides stricter security, but may result
in usability concerns as other tokens become invalid (back/forward
navigation, multiple tabs/windows, asynchronous actions, etc). You
may alter this behavior by editing the following config parameter</p>
<div class="highlight-ci"><div class="highlight"><pre><span></span><span class="k">public</span> <span class="nv">$CSRFRegenerate</span> <span class="o">=</span> <span class="k">true</span><span class="p">;</span>
</pre></div>
</div>
<p>When a request fails the CSRF validation check, it will redirect to the previous page by default,
setting an <code class="docutils literal"><span class="pre">error</span></code> flash message that you can display to the end user. This provides a nicer experience
than simply crashing. This can be turned off by editing the <code class="docutils literal"><span class="pre">$CSRFRedirect</span></code> value in
<strong>app/Config/App.php</strong>:</p>
<div class="highlight-ci"><div class="highlight"><pre><span></span><span class="k">public</span> <span class="nv">$CSRFRedirect</span> <span class="o">=</span> <span class="k">false</span><span class="p">;</span>
</pre></div>
</div>
<p>Even when the redirect value is <strong>true</strong>, AJAX calls will not redirect, but will throw an error.</p>
</div>
<div class="section" id="other-helpful-methods">
<h2><a class="toc-backref" href="#id3">Other Helpful Methods</a><a class="headerlink" href="#other-helpful-methods" title="Permalink to this headline"></a></h2>
<p>You will never need to use most of the methods in the Security class directly. The following are methods that
you might find helpful that are not related to the CSRF protection.</p>
<p><strong>sanitizeFilename()</strong></p>
<p>Tries to sanitize filenames in order to prevent directory traversal attempts and other security threats, which is
particularly useful for files that were supplied via user input. The first parameter is the path to sanitize.</p>
<p>If it is acceptable for the user input to include relative paths, e.g. file/in/some/approved/folder.txt, you can set
the second optional parameter, $relative_path to true.</p>
<div class="highlight-ci"><div class="highlight"><pre><span></span><span class="nv">$path</span> <span class="o">=</span> <span class="nv">$security</span><span class="o">-&gt;</span><span class="na">sanitizeFilename</span><span class="p">(</span><span class="nv">$request</span><span class="o">-&gt;</span><span class="na">getVar</span><span class="p">(</span><span class="s1">&#39;filepath&#39;</span><span class="p">));</span>
</pre></div>
</div>
</div>
</div>
</div>
<div class="articleComments">
</div>
</div>
<footer>
<div class="rst-footer-buttons" role="navigation" aria-label="footer navigation">
<a href="sessions.html" class="btn btn-neutral float-right" title="Session Library" accesskey="n" rel="next">Next <span class="fa fa-arrow-circle-right"></span></a>
<a href="pagination.html" class="btn btn-neutral" title="Pagination" accesskey="p" rel="prev"><span class="fa fa-arrow-circle-left"></span> Previous</a>
</div>
<hr/>
<div role="contentinfo">
<p>
&copy; Copyright 2014-2019 British Columbia Institute of Technology.
Last updated on Dec 30, 2018.
</p>
</div>
Built with <a href="http://sphinx-doc.org/">Sphinx</a> using a <a href="https://github.com/snide/sphinx_rtd_theme">theme</a> provided by <a href="https://readthedocs.org">Read the Docs</a>.
</footer>
</div>
</div>
</section>
</div>
<script type="text/javascript">
var DOCUMENTATION_OPTIONS = {
URL_ROOT:'../',
VERSION:'4.0.0-alpha.4',
COLLAPSE_INDEX:false,
FILE_SUFFIX:'.html',
HAS_SOURCE: false,
SOURCELINK_SUFFIX: ''
};
</script>
<script type="text/javascript" src="../_static/jquery.js"></script>
<script type="text/javascript" src="../_static/underscore.js"></script>
<script type="text/javascript" src="../_static/doctools.js"></script>
<script type="text/javascript" src="../_static/js/theme.js"></script>
<script type="text/javascript">
jQuery(function () {
SphinxRtdTheme.StickyNav.enable();
});
</script>
</body>
</html>
Reference in New Issue View Git Blame Copy Permalink