coldbox-security-csrf
OfficialProtect ColdBox forms from CSRF attacks
System Documentation
What problem does it solve?
Prevents unauthorized cross-site request forgery by generating and validating per-session tokens so state-changing requests cannot be forged by third parties. It reduces the risk of attackers performing unwanted actions on behalf of authenticated users and avoids session hijack consequences when used alongside proper authentication and HTTPS.
Core Features & Use Cases
- Automatic token injection: Add csrf() helpers to views to emit hidden CSRF fields for form submissions.
- Server-side verification: cbcsrf verifies tokens on POST/PUT/PATCH/DELETE handlers and can be validated manually with verifyCSRFToken.
- Configurable behavior: Configure token key, expiration, rotation, verifyMethod, and route exclusion patterns in moduleSettings.
- AJAX support: Emit tokens as meta tags and include them via headers for fetch/XHR calls.
- Interceptor integration: Centralize global validation in an interceptor for consistent protection across handlers and routes.
- Use Case: Secure typical CRUD forms and admin actions while excluding API endpoints that use JWT/API keys.
Quick Start
Add csrf() to your form templates, enable the cbcsrf module in moduleSettings with an appropriate tokenKey and exclusions, and submit a POST to confirm the token is generated and validated.
Dependency Matrix
Required Modules
None requiredComponents
Standard package💻 Claude Code Installation
Recommended: Let Claude install automatically. Simply copy and paste the text below to Claude Code.
Please help me install this Skill: Name: coldbox-security-csrf Download link: https://github.com/ColdBox/skills/archive/main.zip#coldbox-security-csrf Please download this .zip file, extract it, and install it in the .claude/skills/ directory.
Agent Skills Search Helper
Install a tiny helper to your Agent, search and equip skill from 471,000+ vetted skills library on demand.