|
1 | | -**************** |
2 | | -Security Library |
3 | | -**************** |
| 1 | +############## |
| 2 | +Security Class |
| 3 | +############## |
4 | 4 |
|
5 | | -TODO |
| 5 | +The Security Class contains methods that help protect your site against Cross-Site Request Forgery attacks. |
| 6 | + |
| 7 | +.. contents:: |
| 8 | +:local: |
| 9 | + |
| 10 | +******************* |
| 11 | +Loading the Library |
| 12 | +******************* |
| 13 | + |
| 14 | +You do not need to load this library if CSRF protection is turned on, as it is loaded during the bootstrap process. |
| 15 | +In other cases, though, you may load it through the Services file:: |
| 16 | + |
| 17 | + $security = \Config\Services::security(); |
| 18 | + |
| 19 | +********************************* |
| 20 | +Cross-site request forgery (CSRF) |
| 21 | +********************************* |
| 22 | + |
| 23 | +You can enable CSRF protection by altering your **application/Config/App.php** |
| 24 | +file in the following way:: |
| 25 | + |
| 26 | + public $CSRFProtection = true; |
| 27 | + |
| 28 | +If you use the :doc:`form helper <../helpers/form_helper>`, then |
| 29 | +:func:`form_open()` will automatically insert a hidden csrf field in |
| 30 | +your forms. If not, then you can use the always available ``csrf_token()`` |
| 31 | +and ``csrf_hash()`` functions |
| 32 | +:: |
| 33 | + |
| 34 | + <input type="hidden" name="<?= csrf_token() ?>" value="<?= csrf_hash() ?>" /> |
| 35 | + |
| 36 | +Tokens may be either regenerated on every submission (default) or |
| 37 | +kept the same throughout the life of the CSRF cookie. The default |
| 38 | +regeneration of tokens provides stricter security, but may result |
| 39 | +in usability concerns as other tokens become invalid (back/forward |
| 40 | +navigation, multiple tabs/windows, asynchronous actions, etc). You |
| 41 | +may alter this behavior by editing the following config parameter |
| 42 | +:: |
| 43 | + |
| 44 | + public $CSRFRegenerate = true; |
| 45 | + |
| 46 | +Select URIs can be whitelisted from CSRF protection (for example API |
| 47 | +endpoints expecting externally POSTed content). You can add these URIs |
| 48 | +by editing the 'CSRFExcludeURIs' config parameter:: |
| 49 | + |
| 50 | + public $CSRFExcludeURIs = ['api/person/add']; |
| 51 | + |
| 52 | +Regular expressions are also supported (case-insensitive):: |
| 53 | + |
| 54 | + public $CSRFExcludeURIs = [ |
| 55 | + 'api/record/[0-9]+', |
| 56 | + 'api/title/[a-z]+' |
| 57 | + ]; |
| 58 | + |
| 59 | +********************* |
| 60 | +Other Helpful Methods |
| 61 | +********************* |
| 62 | + |
| 63 | +You will never need to use most of the methods in the Security class directly. The following are methods that |
| 64 | +you might find helpful that are not related to the CSRF protection. |
| 65 | + |
| 66 | +**sanitizeFilename()** |
| 67 | + |
| 68 | +Tries to sanitize filenames in order to prevent directory traversal attempts and other security threats, which is |
| 69 | +particularly useful for files that were supplied via user input. The first parameter is the path to sanitize. |
| 70 | + |
| 71 | +If it is acceptable for the user input to include relative paths, e.g. file/in/some/approved/folder.txt, you can set |
| 72 | +the second optional parameter, $relative_path to true. |
| 73 | +:: |
| 74 | + |
| 75 | + $path = $security->sanitizeFilename($request->getVar('filepath')); |
0 commit comments