Heratio Framework API Reference

CsrfService
in package

CSRF Protection Service.

Provides per-session CSRF token generation and validation. Tokens rotate after 1 hour. Validation uses constant-time comparison.

Enforcement modes (configurable via ahg_settings key 'csrf_enforcement'):

  • 'enforce' : Block requests with invalid/missing tokens (403) [default]
  • 'log' : Log violations but allow request (for debugging)
  • 'off' : Disable CSRF checking entirely

Table of Contents

Constants

FIELD_NAME  = '_csrf_token'
POST parameter name
HEADER_NAME  = 'X-CSRF-TOKEN'
HTTP header name (for AJAX requests)

Methods

enforce()  : bool
Enforce CSRF protection on the current request.
generateToken()  : string
Generate or retrieve the current CSRF token.
getEnforcementMode()  : string
Get the current enforcement mode.
getMetaTag()  : string
Render a meta tag containing the CSRF token (for JS access).
getTokenFromRequest()  : string|null
Extract CSRF token from the current request.
isExempt()  : bool
Check if the current request is exempt from CSRF validation.
renderHiddenField()  : string
Render a hidden input field containing the CSRF token.
validateToken()  : bool
Validate a CSRF token against the session token.

Constants

FIELD_NAME

POST parameter name

public mixed FIELD_NAME = '_csrf_token'

HEADER_NAME

HTTP header name (for AJAX requests)

public mixed HEADER_NAME = 'X-CSRF-TOKEN'

Methods

enforce()

Enforce CSRF protection on the current request.

public static enforce() : bool

Call this in controller boot() or middleware. Behavior depends on enforcement mode: log only, enforce (403), or off.

Return values
bool

True if the request is allowed to proceed

generateToken()

Generate or retrieve the current CSRF token.

public static generateToken() : string

Creates a new token if none exists or if the current one has expired. Tokens are stored in the PHP session.

Return values
string

64-character hex token

getEnforcementMode()

Get the current enforcement mode.

public static getEnforcementMode() : string
Return values
string

'log', 'enforce', or 'off'

getMetaTag()

Render a meta tag containing the CSRF token (for JS access).

public static getMetaTag() : string
Return values
string

HTML meta element

getTokenFromRequest()

Extract CSRF token from the current request.

public static getTokenFromRequest() : string|null

Checks in order:

  1. POST body parameter (_csrf_token)
  2. HTTP header (X-CSRF-TOKEN)
Return values
string|null

The token, or null if not found

isExempt()

Check if the current request is exempt from CSRF validation.

public static isExempt() : bool

Exemptions:

  • Requests with Bearer token (API authentication)
  • Requests with X-API-Key header
  • XMLHttpRequest with custom header (handled by csrf.js)
  • Non-mutating methods (GET, HEAD, OPTIONS)
Return values
bool

True if the request is exempt

renderHiddenField()

Render a hidden input field containing the CSRF token.

public static renderHiddenField() : string
Return values
string

HTML hidden input element

validateToken()

Validate a CSRF token against the session token.

public static validateToken(string $token) : bool

Uses hash_equals() for constant-time comparison to prevent timing attacks.

Parameters
$token : string

The token to validate

Return values
bool

True if the token is valid


        

        
    




    

    

                                

                

                                
    

        On this page

        
    


                

                            

            

    

        

            
Search results