Skip to content

Kévin Dunglas

Founder of Les-Tilleuls.coop (worker-owned cooperative). Creator of API Platform, Mercure.rocks, Vulcain.rocks and of some Symfony components.

Menu
  • Talks
  • Resume
  • Sponsor me
  • Contact
Menu

DunglasAngularCsrfBundle: protect your Symfony / AngularJS apps against CSRF attacks

Posted on January 2, 2014January 3, 2014 by Kévin Dunglas

I create and I see more and more web applications sharing the same powerful architecture:

  • Server-side, a REST API built with the popular Symfony framework and its ecosystem (especially FOSRestBundle, JMSSerializerBundle and sometimes BazingaHateoasBundle for hypermedia APIs).
  • Client-side, a SPA built with Google’s AngularJS consuming the REST API provided by the server with Restangular or a similar library.

 These components share the same philosophy (built on top of dependency injection and MVC-like patterns, designed to be intensively tested) and play very well together.

This stack allows to create awesome blazing-fast web applications. Better, the client part and the server part of the app are loosely coupled, can evolve separately and can even be maintained by different teams.

However, this kind of apps often suffer of security problems, and especially Cross-site Request Forgery (CSRF or XSRF) vulnerabilities.

Both Symfony and AngularJS provide their own CSRF protection mechanisms, but by default they are not interoperable and not enabled. Thanks to a recent refactoring of the Symfony’s security component, it’s now possible and clean to make both systems working together, and I’ve just released an open source bundle to do that: DunglasAngularCsrfBundle.

This bundle provides out of the box CSRF protection for AngularJS apps interacting with a Symfony-backed app.

Despite it’s name, it does not depend of AngularJS and can also be used with Chaplin.js / Backbone.js, jQuery or even raw JavaScript. To do so, install and configure the bundle, then just add to XHR requests a HTTP header called X-XSRF-TOKEN containing the value of the token set by a cookie on the first HTTP request. The bundle will automatically check the validity of the provided token. If it is not valid, an Access Denied error (HTTP 401) will be thrown.

The bundle is fully tested with phpspec and obtain a platinum medal on the brand new (awesome) SensioLabs Insight quality monitoring system.

Internals documentation and installation instructions are provided on the GitHub page of the bundle. Check it, test it, star it and tell me what you think of it!

Download DunglasAngularCsrfBundle on GitHub. 

Related posts:

  1. DunglasTodoMVCBundle compatible with Symfony 2.4
  2. CoopTilleulsOVHBundle: OVH SDK integration in Symfony
  3. DunglasTorControlBundle, TorControl Symfony integration
  4. API Platform 2.1 Feature Walkthrough: Create Blazing Fast Hypermedia APIs, Generate JS Apps

2 thoughts on “DunglasAngularCsrfBundle: protect your Symfony / AngularJS apps against CSRF attacks”

  1. Pingback: New release of the ACL extension for Sonata Admin - développeur Symfony - Lille
  2. Matt Robinson says:
    January 25, 2015 at 10:56 pm

    If only I knew about this last month; I had to do it myself, and not nearly as well as this!

    Reply

Leave a Reply Cancel reply

Follow me on Twitter

My Tweets

Subscribe to this blog

Recent Posts

  • Goroutines, threads, and thread IDs
  • New in Caddy 2.5: Redact Sensitive Data from Your Logs
  • Building Decentralized Web Apps with Solid and PHP
  • JSON Columns and Doctrine DBAL 3 Upgrade
  • Preventing CORS Preflight Requests Using Content Negotiation

Top Posts & Pages

  • JSON Columns and Doctrine DBAL 3 Upgrade
  • Using the "103 Early Hints" Status Code in Go Applications
  • Generate a Symfony password hash from the command line
  • Building Decentralized Web Apps with Solid and PHP
  • PHP 7: Introducing a domain name validator and making the URL validator stricter
  • New in Caddy 2.5: Redact Sensitive Data from Your Logs
  • Webperf: PHP after Server Push
  • Vulcain: HTTP/2 Server Push
 and the rise of client-driven REST APIs
  • Goroutines, threads, and thread IDs
  • Installing a LaTeX environment on a Mac

Persistence in PHP with the Doctrine ORM

Persistence in PHP with the Doctrine ORM

Tags

Apache API API Platform Buzz Caddy Docker Doctrine Go Google HTTP/2 Hydra hypermedia Hébergement Javascript JSON-LD Kubernetes La Coopérative des Tilleuls Les-Tilleuls.coop Lille Linux Mac Mercure Messagerie Instantanée MySQL Open Source PHP Punk Rock Python React REST Rock'n'Roll RSS Schema.org Security SEO SEO Symfony Symfony Live Sécurité Ubuntu Vue.js Web 2.0 Wordpress XHTML XML

Archives

Categories

  • DevOps (24)
  • Mercure (3)
  • Opinions (91)
  • Programming (179)
    • Android (5)
    • Go (12)
    • JavaScript (43)
    • PHP (137)
      • API Platform (60)
      • Symfony (89)
    • Python (14)
      • Django (5)
  • Security (15)
  • SEO (24)
  • Talks (37)
  • Ubuntu (68)
  • Wordpress (6)

Blogoliste

  • API Platform
  • Les-Tilleuls.coop
  • Mercure.rocks
  • Vulcain.rocks
© 2022 Kévin Dunglas | Powered by Minimalist Blog WordPress Theme