How do I prevent cross-site request forgery (CSRF) attacks in PHP?

To prevent CSRF attacks in PHP, implement anti-CSRF tokens. 1) Generate and store secure tokens using random_bytes() or bin2hex(random_bytes(32)), save them in $_SESSION, and include them in forms as hidden inputs. 2) Validate tokens on submission by strictly comparing the POST token with the session-stored one; reject mismatched requests with a 403 error. 3) Protect AJAX/API requests by including the token in headers or body, often retrieved from a meta tag. 4) Use htmlspecialchars() when outputting tokens to prevent XSS leaks. 5) Regenerate tokens after critical actions like login. 6) Set SameSite=Strict/Lax for session cookies and avoid GET for state changes. 7) Re-authenticate users for sensitive actions. These steps ensure comprehensive CSRF protection across all request types while maintaining security integrity.

To prevent CSRF attacks in PHP, you need to implement a solid anti-CSRF strategy—mainly by using tokens. The idea is simple: every state-changing request (like form submissions) should include a unique, unpredictable token that only the legitimate user knows. Without this token, the server shouldn’t process the request.

Here’s how to actually do it well in practice.

Generate and Store Anti-CSRF Tokens

Every time you display a form that performs an action (like submitting settings or making a purchase), generate a secure token and store it somewhere safe on the server side—like in the session.

• Use random_bytes() or bin2hex(random_bytes(32)) to create a strong token.
• Save it in $_SESSION so you can compare it later when the form is submitted.

For example:

if (empty($_SESSION['csrf_token'])) {
    $_SESSION['csrf_token'] = bin2hex(random_bytes(50));
}

Then in your form:

<input type="hidden" name="csrf_token" value="<?= htmlspecialchars($_SESSION['csrf_token']) ?>">

This way, each form submission includes a token that the attacker can't guess or reproduce.

Validate the Token on Form Submission

When the form is submitted, check if the token in the POST data matches what’s stored in the session.

• Always check for the presence of the token.
• Compare it strictly (===) to avoid type-juggling issues.
• If it doesn’t match, reject the request with a 403 error or similar.

Example code:

if (!isset($_POST['csrf_token']) || $_POST['csrf_token'] !== $_SESSION['csrf_token']) {
    http_response_code(403);
    die('Invalid CSRF token.');
}

A small but important detail: always use htmlspecialchars() when outputting the token into HTML to prevent XSS from leaking the token.

Also, don’t forget to rotate or regenerate the token after critical actions like login or password change.

Don’t Forget AJAX Requests and APIs

If your site uses JavaScript to submit forms or make API calls, those requests also need CSRF protection.

• Include the CSRF token in the headers or body of the AJAX request.
• You can store the token in a meta tag or inline script and read it from there when making the call.

For example, set a meta tag in your HTML head:

<meta name="csrf-token" content="<?= htmlspecialchars($_SESSION['csrf_token']) ?>">

Then in your JS:

fetch('/update-profile', {
    method: 'POST',
    headers: {
        'X-CSRF-Token': document.querySelector('meta[name="csrf-token"]').content
    },
    body: new URLSearchParams({ name: 'John Doe' })
});

On the backend, look for the token in the X-CSRF-Token header and validate it just like with regular forms.

One thing to note: if you're building a single-page app (SPA) or mobile app that talks to your PHP backend, consider using same-site cookies and CSRF tokens together for better protection.

Bonus Tips: SameSite Cookies and HTTP-Only Forms

Even with tokens, there are extra steps you can take:

• Set SameSite=Strict or Lax on your session cookie to reduce cross-origin requests.
• Make sure your forms only accept POST requests where needed—don’t allow GET-based state changes.
• For sensitive operations (like deleting an account), re-authentication helps add another layer.

These aren’t replacements for CSRF tokens, but they work well alongside them.

That’s basically it. CSRF protection in PHP boils down to generating good tokens, validating them properly, and making sure they’re included in all relevant requests. It’s not overly complex, but easy to mess up if you skip even one step.

The above is the detailed content of How do I prevent cross-site request forgery (CSRF) attacks in PHP?. For more information, please follow other related articles on the PHP Chinese website!