@@ -75,6 +75,15 @@ class Security
7575 */
7676 protected $ CSRFTokenName'CSRFToken ' ;
7777
78+ /**
79+ * CSRF Header name
80+ *
81+ * Token name for Cross Site Request Forgery protection cookie.
82+ *
83+ * @var string
84+ */
85+ protected $ CSRFHeaderName'CSRFToken ' ;
86+
7887 /**
7988 * CSRF Cookie name
8089 *
@@ -171,6 +180,7 @@ public function __construct($config)
171180 // Store our CSRF-related settings
172181 $ this CSRFExpire = $ configCSRFExpire ;
173182 $ this CSRFTokenName = $ configCSRFTokenName ;
183+ $ this CSRFHeaderName = $ configCSRFHeaderName ;
174184 $ this CSRFCookieName = $ configCSRFCookieName ;
175185 $ this CSRFRegenerate = $ configCSRFRegenerate ;
176186
@@ -206,12 +216,14 @@ public function CSRFVerify(RequestInterface $request)
206216 {
207217 return $ this CSRFSetCookie ($ request
208218 }
209-
210- // Do the token exist in _POST or php://input (json) data?
211- $ CSRFTokenValue$ _POST $ this CSRFTokenName ] ??
212- (!empty ($ inputfile_get_contents ('php://input ' )) && !empty ($ jsonjson_decode ($ inputjson_last_error () === JSON_ERROR_NONE ?
213- ($ json$ this CSRFTokenName } ?? null ) :
214- null );
219+
220+ // Do the tokens exist in _POST, HEADER or optionally php:://input - json data
221+ $ CSRFTokenValue$ _POST $ this CSRFTokenName ] ??
222+ (!is_null ($ requestgetHeader ($ this CSRFHeaderName )) && !empty ($ requestgetHeader ($ this CSRFHeaderName )->getValue ()) ?
223+ $ requestgetHeader ($ this CSRFHeaderName )->getValue () :
224+ (!empty (file_get_contents ('php://input ' )) && !empty ($ jsonjson_decode (file_get_contents ('php://input ' ))) && json_last_error () === JSON_ERROR_NONE ?
225+ ($ json$ this CSRFTokenName } ?? null ) :
226+ null ));
215227
216228 // Do the tokens exist in both the _POST/POSTed JSON and _COOKIE arrays?
217229if (! isset ($ CSRFTokenValue$ _COOKIE $ this CSRFCookieName ]) || $ CSRFTokenValue$ _COOKIE $ this CSRFCookieName ]
0 commit comments