Skip to content

Commit 070cdb4

Browse files
kenjiskenjis
committed
docs: update user guide
1 parent 11b5c26 commit 070cdb4

3 files changed

Lines changed: 33 additions & 0 deletions

File tree

user_guide_src/source/changelogs/v4.1.5.rst

Lines changed: 6 additions & 0 deletions
Original file line numberDiff line numberDiff line change
@@ -5,6 +5,12 @@ Release Date: Not released
55

66
**4.1.5 release of CodeIgniter4**
77

8+
BREAKING:
9+
10+
Fixed `a bug <https://github.com/codeigniter4/CodeIgniter4/issues/2913>`_ on CSRF protection.
11+
Now CSRF protection works on PUT/PATCH/DELETE requests when CSRF filter is applied.
12+
If you use such requests, you need to send CSRF token.
13+
814
Enhancements:
915

1016
- Added Cache config for reserved characters

user_guide_src/source/installation/upgrade_415.rst

Lines changed: 17 additions & 0 deletions
Original file line numberDiff line numberDiff line change
@@ -53,3 +53,20 @@ The following methods and a property have been deprecated:
5353
- ``CodeIgniter\Router\RouteCollection``'s property ``$filterInfo``
5454

5555
See *Applying Filters* in :doc:`Routing </incoming/routing>` for the functionality.
56+
57+
**CSRF Protection**
58+
59+
Because of a bug fix,
60+
now CSRF protection works on not only **POST** but also **PUT/PATCH/DELETE** requests when CSRF filter is applied.
61+
62+
When you use **PUT/PATCH/DELETE** requests, you need to send CSRF token. Or remove the CSRF filter
63+
for such requests if you don't need CSRF protection for them.
64+
65+
If you want the same behavior as the previous version, set the CSRF filter like the following in **app/Config/Filters.php**::
66+
67+
public $methods = [
68+
'get' => ['csrf'],
69+
'post' => ['csrf'],
70+
];
71+
72+
Protecting **GET** method needs only when you use ``form_open()`` auto-generation of CSRF field.

user_guide_src/source/libraries/security.rst

Lines changed: 10 additions & 0 deletions
Original file line numberDiff line numberDiff line change
@@ -23,6 +23,9 @@ If you find a case where you do need direct access though, you may load it throu
2323
Cross-site request forgery (CSRF)
2424
*********************************
2525

26+
.. warning:: The CSRF Protection is only available for **POST/PUT/PATCH/DELETE** requests.
27+
Requests for other methods are not protected.
28+
2629
Enable CSRF Protection
2730
======================
2831

@@ -54,6 +57,13 @@ Regular expressions are also supported (case-insensitive)::
5457
],
5558
];
5659

60+
It is also possible to enable the CSRF filter only for specific methods::
61+
62+
public $methods = [
63+
'get' => ['csrf'],
64+
'post' => ['csrf'],
65+
];
66+
5767
HTML Forms
5868
==========
5969

0 commit comments

Comments
 (0)