Automatic CSRF protection for JavaScript apps using a Symfony API
Alternatives To Dunglasangularcsrfbundle
Project NameStarsDownloadsRepos Using ThisPackages Using ThisMost Recent CommitTotal ReleasesLatest ReleaseOpen IssuesLicenseLanguage
Security Csrf1,6442,9021982 months ago438January 20, 2023mitPHP
Symfony Security Component - CSRF Library
Dunglasangularcsrfbundle1511123 years ago5May 06, 2019mitPHP
Automatic CSRF protection for JavaScript apps using a Symfony API
7 years ago1PHP
搭建一个可用的Yaf,包括Laravel的Eloquent ORM、Twig、脚手架、Whoops和使用用例
Auth0 Bundle12
2 years ago18September 25, 2021mitPHP
Symfony integration for Auth0
3 months ago3December 31, 20201mitPHP
Symfony bundle that provides Cross Site Request Forgery (CSRF or XSRF) protection for client-side applications
Latte Bundle5
3 years agomitPHP
Latte templating engine for Symfony
Symfony Standard Headers Csrf Bundle2
7 months ago1mitPHP
Protect symfony applications against CSRF attacks with the help of standard headers.
Symfony2 Csrf Firewall Bundle2
11 years agoother
📦 Cross site request forgery firewall bundle for Symfony2
Alternatives To Dunglasangularcsrfbundle
Select To Compare

Alternative Project Comparisons

JavaScript CSRF Protection Bundle

Archived! Now that all modern browsers implement SameSite cookies and the Origin HTTP header, this bundle is - in most cases - not necessary anymore. Learn how to protect your Symfony APIs from CSRF attacks. If you need to maintain old applications, take a look to DneustadtCsrfCookieBundle.

This API Platform and Symfony bundle provides automatic Cross Site Request Forgery (CSRF or XSRF) protection for client-side applications.

Despite the name, it works with any client-side technology including Angular, React, Vue.js and jQuery. Actually, any JavaScript code issuing XMLHttpRequest or using the Fetch API can leverage this bundle.

Build Status SensioLabsInsight Dependency Status StyleCI

How it Works

Thanks to this bundle, the server-side application (the Symfony app) will automatically set a cookie named XSRF-Token containing a unique token during the first HTTP response sent to the browser. Subsequent asynchronous requests made by the JavaScript app with xhr or fetch send back the value of the cookie in a special HTTP header named X-XSRF-Token.

To prevent CSRF attacks, the bundle will check that the header's value match the cookie's value. This way, it will be able to detect and block CSRF attacks.

AngularJS (v1)'s ng.$http service has a built-in support for this CSRF protection system. If you use another framework or HTTP client (such as Axios), you just need to read the cookie value and add the HTTP header containing it by yourself.

This bundle provides a Symfony's Event Listener that set the cookie and another one that checks the HTTP header to block CSRF attacks.

Thanks to DunglasAngularCsrfBundle, you get CSRF security without modifying your code base.

This bundle works fine with both API Platform and FOSRestBundle.


Use Composer to install this bundle:

composer require dunglas/angular-csrf-bundle

If you use Symfony Flex, you're done.

Otherwise add the bundle in your application kernel:

// app/AppKernel.php

public function registerBundles()
    return array(
        // ...
        new Dunglas\AngularCsrfBundle\DunglasAngularCsrfBundle(),
        // ...

Configure URLs where the cookie must be set and that must be protected against CSRF attacks:

# app/config/security.yml
    # Collection of patterns where to set the cookie
            - { path: ^/$ }
            - { route: ^app_, methods: [GET, HEAD] }
            - { host: example.com }
    # Collection of patterns to secure
        - { path: ^/api, methods: [POST, PUT, PATCH, LINK] }
        - { route: ^api_v2_ }
        - { host: example.com, methods: [POST, PUT, PATCH, DELETE, LINK] }
    # Collection of patterns to exclude
        - { path: ^/api/exclude, methods: [POST, PUT, PATCH, LINK] }
        - { route: ^api_v2_exclude }
        - { host: exclude-example.com, methods: [POST, PUT, PATCH, DELETE, LINK] }

Your app is now secured.


  • DunglasTodoMVCBundle: an implementation of the TodoMVC app using Symfony, Backbone.js and Chaplin.js

Full Configuration

        # The CSRF token id
        id: angular
        # The name of the HTTP header to check (default to the AngularJS default)
        name: X-XSRF-TOKEN
        # The name of the cookie to set (default to the AngularJS default)
        name: XSRF-TOKEN
        # Expiration time of the cookie
        expire: 0
        # Path of the cookie
        path: /
        # Domain of the cookie
        domain: ~
        # If true, set the cookie only on HTTPS connection
        secure: false
        # Patterns of URLs to set the cookie
            - { path: "^/url-pattern", route: "^route_name_pattern$", host: "example.com", methods: [GET, POST] }
    # Patterns of URLs to check for a valid CSRF token
        - { path: "^/url-pattern", route: "^route_name_pattern$", host: "example.com", methods: [GET, POST] }
    # Patterns to exclude from secure routes
        - { path: "^/url-pattern/exclude", route: "^route_name_pattern$", host: "example.com", methods: [GET, POST] }

Integration with the Symfony Form Component

When using the Symfony Form Component together with DunglasAngularCsrfBundle, the bundle will automatically disable the built-in form CSRF protection only if the CSRF token provided by the header is valid.

If no CSRF header is found or if the token is invalid, the form CSRF protection will not be disabled by the bundle.

If you want your form to be validated only by the form component system, make sure to remove its URL from the config.


This bundle has been created by Kévin Dunglas.

Popular Symfony Projects
Popular Csrf Projects
Popular Frameworks Categories
Related Searches

Get A Weekly Email With Trending Projects For These Categories
No Spam. Unsubscribe easily at any time.
Symfony Bundle
Http Header