fix(security): add CSRF protection to contact form (#42)
All checks were successful
Deploy Feature Branch to Test / deploy (push) Successful in 25s
Lint / PHP Syntax Check (push) Successful in 32s
Lint / CSS Lint (stylelint) (push) Successful in 1m13s
Lint / HTML Lint (htmlhint) (push) Successful in 1m9s
Lint / PHP Syntax Check (pull_request) Successful in 32s
Lint / CSS Lint (stylelint) (pull_request) Successful in 1m16s
Lint / HTML Lint (htmlhint) (pull_request) Successful in 1m7s
All checks were successful
Deploy Feature Branch to Test / deploy (push) Successful in 25s
Lint / PHP Syntax Check (push) Successful in 32s
Lint / CSS Lint (stylelint) (push) Successful in 1m13s
Lint / HTML Lint (htmlhint) (push) Successful in 1m9s
Lint / PHP Syntax Check (pull_request) Successful in 32s
Lint / CSS Lint (stylelint) (pull_request) Successful in 1m16s
Lint / HTML Lint (htmlhint) (pull_request) Successful in 1m7s
- Generate CSRF token (32 bytes) on GET requests - Add hidden csrf_token field to contact form - Validate token with hash_equals() (timing-safe) on POST - Reject invalid/missing tokens with user-friendly error Fix #42
This commit is contained in:
@@ -434,6 +434,7 @@
|
||||
</div>
|
||||
<?php endif; ?>
|
||||
<form id="contactForm" method="post">
|
||||
<input type="hidden" name="csrf_token" value="<?= htmlspecialchars($_SESSION['csrf_token'] ?? '') ?>" />
|
||||
<div class="form-row">
|
||||
<div class="form-field">
|
||||
<label for="fname">Vorname</label>
|
||||
|
||||
Reference in New Issue
Block a user