We know that, the right way to change persistent data in database is only using POST (or PUT) requests, but in real life in each application we have many places that can change, add or remove data in database via GET request and you need to protect these actions.
- Activation of users after registration (via security url)
- Trivial operations with objects in datagrids (especially when transforming object from one state to another)
- Setting custom filters in complex search forms.
To protect your application from CSRF you can create Type for each action (e.g. activation, subscription), but this is too long, tedious and also goes against RAD.
On the other hand, you can every time get form.csrf_provider from service container then validate this token manually.
To automate this routine https://github.com/korotovsky/csrf-validator-bundle was written.
After installation of this bundle, you should just add a special annotation to action that you want to protect.
Annotation @Krtv\Csrf has 2 parameters:
- param – allows you to change name of the CSRF-token
- intention – sets intention, that will be attached to this token
That’s it. Validation will be invoked during kernel.controller event.