fix(security): add CSRF protection to contact form (#42)

- Generate CSRF token (32 bytes) on GET requests - Add hidden csrf_token field to contact form - Validate token with hash_equals() (timing-safe) on POST - Reject invalid/missing tokens with user-friendly error Fix #42
2026-05-21 23:05:51 +00:00
parent 36b5639801
commit a919a392cc
2 changed files with 14 additions and 0 deletions
--- a/app/controllers/HomeController.php
+++ b/app/controllers/HomeController.php
@@ -41,7 +41,20 @@ class HomeController extends Controller
            $formData = ['fname' => '', 'lname' => '', 'email' => '', 'phone' => '', 'interest' => 'Besichtigung anfragen', 'message' => ''];
        }

+        // CSRF-Token generieren (nach Session-Start)
+        if (empty($_SESSION['csrf_token'])) {
+            $_SESSION['csrf_token'] = bin2hex(random_bytes(32));
+        }
+
        if ($_SERVER['REQUEST_METHOD'] === 'POST') {
+            // CSRF-Token validieren
+            $csrfToken = $_POST['csrf_token'] ?? '';
+            if (!hash_equals($_SESSION['csrf_token'] ?? '', $csrfToken)) {
+                header('Location: /#form-result');
+                $_SESSION['form_errors'] = ['Sicherheitsüberprüfung fehlgeschlagen. Bitte versuchen Sie es erneut.'];
+                exit;
+            }
+
            $formData['fname']    = $normalizeContactValue((string) ($_POST['fname'] ?? ''));
            $formData['lname']    = $normalizeContactValue((string) ($_POST['lname'] ?? ''));
            $formData['email']    = $normalizeContactValue((string) ($_POST['email'] ?? ''));
--- a/app/views/home/index.php
+++ b/app/views/home/index.php
@@ -434,6 +434,7 @@
          </div>
 <?php endif; ?>
          <form id="contactForm" method="post">
+            <input type="hidden" name="csrf_token" value="<?= htmlspecialchars($_SESSION['csrf_token'] ?? '') ?>" />
            <div class="form-row">
              <div class="form-field">
                <label for="fname">Vorname</label>