diff --git a/public/index.php b/public/index.php index ed4e391..e4b5722 100644 --- a/public/index.php +++ b/public/index.php @@ -26,6 +26,12 @@ if ($match !== null) { $authorized = true; } + if ($method === 'post' && $request->post('anti_csrf_token') !== $request->session()->get('anti_csrf_token')) { + header('Content-Type: text/html; charset=UTF-8', true, 403); + echo json_encode(['error' => 'no_valid_anti_csrf_token']); + return; + } + if ($authorized) { $response = call_user_func([$controller, $handler[1]]); diff --git a/web.php b/web.php index 34eb015..27aa54b 100644 --- a/web.php +++ b/web.php @@ -38,3 +38,7 @@ session_start([ 'cookie_httponly' => true, 'cookie_samesite' => 'Lax' ]); + +if (!isset($_SESSION['anti_csrf_token'])) { + $_SESSION['anti_csrf_token'] = hash('sha256', random_bytes(10) . microtime()); +}