Skip to content

Commit

Permalink
fix readme
Browse files Browse the repository at this point in the history
  • Loading branch information
@olegbaturin
olegbaturin committed Oct 28, 2024
1 parent a12399d commit 927ebbe
Show file tree
Hide file tree
Showing 3 changed files with 17 additions and 17 deletions.
4 changes: 2 additions & 2 deletions CHANGELOG.md
View file
Original file line number Diff line number Diff line change
Expand Up @@ -2,8 +2,8 @@

## 2.1.2 under development

- New #68: Add the `CsrfHeaderMiddleware` middleware for employing custom HTTP header to prevent forgery of requests (@olegbaturin)
- Enh #68: Add the `CsrfMiddleware::withSafeMethods()` method to configuure a custom safe HTTP methods list (@olegbaturin)
- New #68: Add the `CsrfHeaderMiddleware` middleware to use custom HTTP header to prevent forgery of requests (@olegbaturin)
- Enh #68: Add the `CsrfMiddleware::withSafeMethods()` method to configure a custom safe HTTP methods list (@olegbaturin)

## 2.1.1 May 08, 2024

Expand Down
28 changes: 14 additions & 14 deletions README.md
View file
Original file line number Diff line number Diff line change
Expand Up @@ -117,9 +117,9 @@ $csrfMiddleware = $csrfMiddleware->withSafeMethods([Method::OPTIONS]);
$csrfMiddleware = $csrfMiddleware->withHeaderName('X-CSRF-PROTECTION');
```

or define the `CsrfMiddleware` configuration in the DI container
or define the `CsrfMiddleware` configuration in the DI container:

`config/web/di/csrf.php`:
`config/web/di/csrf.php`

```php
use Yiisoft\Csrf\CsrfMiddleware;
Expand Down Expand Up @@ -254,9 +254,9 @@ $csrfHeaderMiddleware = $csrfHeaderMiddleware->withUnsafeMethods([Method::POST,
$csrfHeaderMiddleware = $csrfHeaderMiddleware->withHeaderName('X-CSRF-PROTECTION');
```

or define the `CsrfHeaderMiddleware` configuration in the DI container
or define the `CsrfHeaderMiddleware` configuration in the DI container:

`config/web/di/csrf.php`:
`config/web/di/csrf.php`

```php
use Yiisoft\Csrf\CsrfHeaderMiddleware;
Expand All @@ -283,12 +283,12 @@ In this scenario
- Cross-origin requests to the API server are denied.
- Simple CORS requests must be restricted.

**Configure CORS module**
#### Configure CORS module

- Responses to a CORS preflight requests **must not** contain CORS headers.
- Responses to an actual requests **must not** contain CORS headers.

**Configure middlewares stack**
#### Configure middlewares stack

Add `CsrfHeaderMiddleware` to the main middleware stack

Expand All @@ -312,7 +312,7 @@ $collector->addGroup(
);
```

**Configure frontend requests**
#### Configure frontend requests

On the frontend add to the `GET`, `HEAD`, `POST` requests a custom header defined in the `CsrfHeaderMiddleware` with an empty or random value.

Expand All @@ -331,7 +331,7 @@ In this scenario:
- Allow cross origin requests to the API server from the list of specific origins only.
- Simple CORS requests must be restricted.

**Configure CORS module**
#### Configure CORS module

- A successful responses to a CORS preflight requests **must** contain appropriate CORS headers.
- Responses to an actual requests **must** contain appropriate CORS headers.
Expand All @@ -342,7 +342,7 @@ In this scenario:
Access-Control-Allow-Origin: https://example.com
```

**Configure middlewares stack**
#### Configure middlewares stack

Add `CsrfHeaderMiddleware` to the main middleware stack

Expand All @@ -366,7 +366,7 @@ $collector->addGroup(
);
```

**Configure frontend requests**
#### Configure frontend requests

On the frontend add to the `GET`, `HEAD`, `POST` requests a custom header defined in the `CsrfHeaderMiddleware` with an empty or random value.

Expand All @@ -385,7 +385,7 @@ In this scenario:
- Allow cross origin requests to the API server from any origin.
- All requests are considered unsafe and **must** be protected against CSRF with CSRF-token.

**Configure CORS module**
#### Configure CORS module

- A successful responses to a CORS preflight requests **must** contain appropriate CORS headers.
- Responses to an actual requests **must** contain appropriate CORS headers.
Expand All @@ -397,7 +397,7 @@ $frontendOrigin = $request->getOrigin();
Access-Control-Allow-Origin: $frontendOrigin
```

**Configure middlewares stack**
#### Configure middlewares stack

By default, `CsrfMiddleware` considers `GET`, `HEAD`, `OPTIONS` methods as safe operations and doesn't perform CSRF validation.
In JavaScript-based apps, requests are made programmatically; therefore, to increase application protection, the only `OPTIONS` method can be considered safe and need not be appended with a CSRF token header.
Expand Down Expand Up @@ -432,7 +432,7 @@ $collector->addGroup(
);
```

**Configure routes**
#### Configure routes

Create a route for acquiring CSRF-tokens from the frontend application.

Expand Down Expand Up @@ -460,7 +460,7 @@ Route::options('/csrf-token')
}),
```

**Configure frontend requests**
#### Configure frontend requests

On the frontend first make a request to the configured endpoint and acquire a CSRF-token to use it in the subsequent requests.

Expand Down
2 changes: 1 addition & 1 deletion src/CsrfHeaderMiddleware.php
View file
Original file line number Diff line number Diff line change
Expand Up @@ -15,7 +15,7 @@
use function in_array;

/**
* PSR-15 middleware that takes care of custom HTTP header validation.
* PSR-15 middleware that takes care of custom HTTP header CSRF validation.
*
* @link https://www.php-fig.org/psr/psr-15/
* @link https://cheatsheetseries.owasp.org/cheatsheets/Cross-Site_Request_Forgery_Prevention_Cheat_Sheet.html#employing-custom-request-headers-for-ajaxapi
Expand Down

0 comments on commit 927ebbe

Please sign in to comment.