dunglas/DunglasAngularCsrfBundle dunglas/DunglasAngularCsrfBundle

  • This repository has been archived on 29/Dec/2020
  • Stars
    star
    151
  • Rank 246,057 (Top 5 %)
  • Language
    PHP
  • License
    MIT License
  • Created almost 11 years ago
  • Updated almost 4 years ago
Twitter logo Share LinkedIn logo Share Facebook logo Share
dunglas/DunglasAngularCsrfBundle
github

dunglas

Reviews

There are no reviews yet. Be the first to send feedback to the community and the maintainers!

Repository Details

Automatic CSRF protection for JavaScript apps using a Symfony API

JavaScript CSRF Protection Bundle

Archived! Now that all modern browsers implement SameSite cookies and the Origin HTTP header, this bundle is - in most cases - not necessary anymore. Learn how to protect your Symfony APIs from CSRF attacks. If you need to maintain old applications, take a look to DneustadtCsrfCookieBundle.

This API Platform and Symfony bundle provides automatic Cross Site Request Forgery (CSRF or XSRF) protection for client-side applications.

Despite the name, it works with any client-side technology including Angular, React, Vue.js and jQuery. Actually, any JavaScript code issuing XMLHttpRequest or using the Fetch API can leverage this bundle.

Build Status SensioLabsInsight Dependency Status StyleCI

How it Works

Thanks to this bundle, the server-side application (the Symfony app) will automatically set a cookie named XSRF-Token containing a unique token during the first HTTP response sent to the browser. Subsequent asynchronous requests made by the JavaScript app with xhr or fetch send back the value of the cookie in a special HTTP header named X-XSRF-Token.

To prevent CSRF attacks, the bundle will check that the header's value match the cookie's value. This way, it will be able to detect and block CSRF attacks.

AngularJS (v1)'s ng.$http service has a built-in support for this CSRF protection system. If you use another framework or HTTP client (such as Axios), you just need to read the cookie value and add the HTTP header containing it by yourself.

This bundle provides a Symfony's Event Listener that set the cookie and another one that checks the HTTP header to block CSRF attacks.

Thanks to DunglasAngularCsrfBundle, you get CSRF security without modifying your code base.

This bundle works fine with both API Platform and FOSRestBundle.

Installation

Use Composer to install this bundle:

composer require dunglas/angular-csrf-bundle

If you use Symfony Flex, you're done.

Otherwise add the bundle in your application kernel:

// app/AppKernel.php

public function registerBundles()
{
    return array(
        // ...
        new Dunglas\AngularCsrfBundle\DunglasAngularCsrfBundle(),
        // ...
    );
}

Configure URLs where the cookie must be set and that must be protected against CSRF attacks:

# app/config/security.yml
dunglas_angular_csrf:
    # Collection of patterns where to set the cookie
    cookie:
        set_on:
            - { path: ^/$ }
            - { route: ^app_, methods: [GET, HEAD] }
            - { host: example.com }
    # Collection of patterns to secure
    secure:
        - { path: ^/api, methods: [POST, PUT, PATCH, LINK] }
        - { route: ^api_v2_ }
        - { host: example.com, methods: [POST, PUT, PATCH, DELETE, LINK] }
    # Collection of patterns to exclude
    exclude:
        - { path: ^/api/exclude, methods: [POST, PUT, PATCH, LINK] }
        - { route: ^api_v2_exclude }
        - { host: exclude-example.com, methods: [POST, PUT, PATCH, DELETE, LINK] }

Your app is now secured.

Examples

  • DunglasTodoMVCBundle: an implementation of the TodoMVC app using Symfony, Backbone.js and Chaplin.js

Full Configuration

dunglas_angular_csrf:
    token:
        # The CSRF token id
        id: angular
    header:
        # The name of the HTTP header to check (default to the AngularJS default)
        name: X-XSRF-TOKEN
    cookie:
        # The name of the cookie to set (default to the AngularJS default)
        name: XSRF-TOKEN
        # Expiration time of the cookie
        expire: 0
        # Path of the cookie
        path: /
        # Domain of the cookie
        domain: ~
        # If true, set the cookie only on HTTPS connection
        secure: false
        # Patterns of URLs to set the cookie
        set_on:
            - { path: "^/url-pattern", route: "^route_name_pattern$", host: "example.com", methods: [GET, POST] }
    # Patterns of URLs to check for a valid CSRF token
    secure:
        - { path: "^/url-pattern", route: "^route_name_pattern$", host: "example.com", methods: [GET, POST] }
    # Patterns to exclude from secure routes
    exclude:
        - { path: "^/url-pattern/exclude", route: "^route_name_pattern$", host: "example.com", methods: [GET, POST] }

Integration with the Symfony Form Component

When using the Symfony Form Component together with DunglasAngularCsrfBundle, the bundle will automatically disable the built-in form CSRF protection only if the CSRF token provided by the header is valid.

If no CSRF header is found or if the token is invalid, the form CSRF protection will not be disabled by the bundle.

If you want your form to be validated only by the form component system, make sure to remove its URL from the config.

Credits

This bundle has been created by Kévin Dunglas.

More Repositories

1

frankenphp

🧟 The modern PHP app server
Go
6,849
star
2

vulcain

🔨 Fast and idiomatic client-driven REST APIs.
Go
3,513
star
3

mercure

An open, easy, fast, reliable and battery-efficient solution for real-time communications
Go
3,349
star
4

symfony-docker

A Docker-based installer and runtime for Symfony. Install: download and `docker compose up`.
Dockerfile
2,354
star
5

react-esi

React ESI: Blazing-fast Server-Side Rendering for React and Next.js
TypeScript
677
star
6

doctrine-json-odm

An object document mapper for Doctrine ORM using JSON types of modern RDBMS.
PHP
525
star
7

DunglasActionBundle

Symfony controllers, redesigned
PHP
258
star
8

phpdoc-to-typehint

Add scalar type hints and return types to existing PHP projects using PHPDoc annotations
PHP
226
star
9

vaccin.click

Une extension Firefox pour trouver et réserver automatiquement votre créneau de vaccination COVID-19.
JavaScript
94
star
10

php-torcontrol

PHP TorControl, a library to control TOR
PHP
86
star
11

php-socialshare

Server-side social networks share counts and share links retriever
PHP
80
star
12

DunglasTodoMVCBundle

A TodoMVC implementation wrote with Symfony, Chaplin.js and Backbone.js
PHP
78
star
13

solid-client-php

PHP library for accessing data and managing permissions on data stored in a Solid Pod
PHP
59
star
14

frankenphp-demo

Demo app for FrankenPHP
HTML
59
star
15

httpsfv

A Go library to parse and serialize HTTP structured field values
Go
57
star
16

symfonycon-lisbon

A joind.in clone built with Symfony 4 and Vue.js
PHP
39
star
17

demo-vulcain-api-platform

Use API Platform with the Vulcain protocol and Varnish!
JavaScript
34
star
18

php-to-json-schema

Creates a JSON Schema from a PHP class
PHP
32
star
19

stack2slack

A Slack bot to monitor StackOverflow/StackExchange tags
Go
29
star
20

frankenphp-wordpress

WordPress on FrankenPHP
Dockerfile
29
star
21

php-property-info

Retrieve type and description of PHP properties using various sources
PHP
27
star
22

prestashop-html5-theme

HTML5 Prestashop tempate enhanced for SEO with Google Rich Snippets support
Smarty
27
star
23

DunglasDigitalOceanBundle

DigitalOcean API v2 client for Symfony and API Platform
PHP
25
star
24

frankenphp-drupal

Drupal on FrankenPHP
Dockerfile
23
star
25

blog-api

A demonstration blog API for the API Platform framework
PHP
22
star
26

stripe-invoice-exporter

Download all your Stripe PDF invoices in bulk.
PHP
20
star
27

jquery.confirmExit

jQuery confirm before exit plugin
JavaScript
16
star
28

calavera

A (static) Single Page Application generator using Markdown files
Go
16
star
29

ShopApiPlugin

PHP
16
star
30

kdDoctrineGuardFacebookConnectPlugin

Facebook Connect symfony plugin (extends sfGuardPlugin)
PHP
16
star
31

demo-postgres-listen-notify

Demo of the PostgreSQL LISTEN/NOTIFY support in Symfony Messenger
PHP
14
star
32

DunglasTorControlBundle

Integration of PHP TorControl library in Symfony
PHP
13
star
33

blog-client

A demonstration blog client for the API Platform framework
ApacheConf
12
star
34

symfony-demo-mercure

A demo project using Symfony's Mercure integration
PHP
10
star
35

docker-private-composer-packages

Example: Securely Access Private Composer Packages
Dockerfile
9
star
36

uri-template-tester

Test if a URI matches a given URI template (RFC6570)
HTML
8
star
37

planning

Planning management written in Symfony2 and Doctrine 2
PHP
8
star
38

symfony-lock

Symfony lock
8
star
39

piy

A modern self-managed Content Management System
PHP
7
star
40

api-parallelism-benchmark

A benchmark comparing HTTP/2 Server Push to GraphQL-Like compound documents
HTML
6
star
41

Elgg-profile_friendlyurl

Creates friendly URLs for user's Elgg profiles as subdomains.
PHP
6
star
42

forumphp2016

PHP
6
star
43

api-platform-heroku

Helpers to use API Platform and Symfony applications on Heroku.
PHP
5
star
44

Elgg-fblink

Link a Facebook and an Elgg account
PHP
5
star
45

dunglas

My GitHub profile!
5
star
46

php-basics

Cours de PHP (en français)
JavaScript
5
star
47

Elgg-presence

Friends Online on Elgg, Facebook and Twitter
PHP
4
star
48

frankenphp-website

The website of FrankenPHP
HTML
4
star
49

Elgg-twitterlogin

Login to Elgg using Twitter
PHP
4
star
50

Signal-TLS-Proxy

Dockerfile
3
star
51

vclient-web

Web interface for Viessmann Vito heating system
Python
3
star
52

debian-hosting

Automatically exported from code.google.com/p/debian-hosting
Python
3
star
53

Elgg-groups_bookmarkswidget

Elgg plugin to display a bookmarks widget in groups homepages
PHP
3
star
54

workshop-mercure

Code produced during my Mercure workshop
PHP
3
star
55

mercure-reproducer-cors

Reproducer for CORS issues with the Mercure.rocks Hub
HTML
3
star
56

slides-sfLive-2015

Slides de ma présentation au Symfony Live 2015
JavaScript
3
star
57

php-documention-generator

3
star
58

workshop-panther

Code produced during by Panther workshop
PHP
2
star
59

demo-autowiring

Symfony autowiring demo
PHP
2
star
60

slides-sfPot-2015-07-10

Slides: using PSR-7 with the Symfony framework
JavaScript
2
star
61

.github

My GitHub files
2
star
62

api-platform-crud-demo

JavaScript
2
star
63

slides-sfPot-2015-01-15

API-first et Linked Data avec Symfony
JavaScript
2
star
64

symfony-psr7-benchmark

Benchmark PSR-7 support in Symfony
PHP
1
star
65

ajax-syntax-highlighter

Automatically exported from code.google.com/p/ajax-syntax-highlighter
JavaScript
1
star
66

selfpublish

Automatically exported from code.google.com/p/selfpublish
PHP
1
star
67

training-apr-19

PHP
1
star
68

test-again

Vue
1
star
69

symfony-4-0

Symfony 4.0 benchmark on phpbenchmarks.com
PHP
1
star
70

scoopeo

Automatically exported from code.google.com/p/scoopeo
1
star
71

easyubuntu

Automatically exported from code.google.com/p/easyubuntu
1
star
72

serializer-pack

1
star
73

panther-legacy

Legacy releases of symfony/panther (including old versions of ChromeDriver and Geckodriver)
PHP
1
star
74

platform-on-platform-workshop

#APIDays: API Platform on Platform.sh workshop
JavaScript
1
star
75

crypt-manager

Automatically exported from code.google.com/p/crypt-manager
Python
1
star