search:
summary | log | graphiclog1 | graphiclog2 | commit | commitdiff | tree | refs | edit | fork
blame | history | raw | HEAD
Initial commit. Setup xhtml-compiler.
[csrf-magic-web.git] / index.xhtml
blob87891199b28a4c5e7d80957a147eca57941594fa
1 <?xml version="1.0" encoding="UTF-8"?>
2 <!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Transitional//EN"
3 "http://www.w3.org/TR/xhtml1/DTD/xhtml1-transitional.dtd">
4 <html
5 xmlns="http://www.w3.org/1999/xhtml"
6 xmlns:xi="http://www.w3.org/2001/XInclude"
7 xmlns:xc="urn:xhtml-compiler"
8 xmlns:news="urn:xhtml-compiler:News"
9 xml:lang="en">
10 <head>
11 <title>csrf-magic: Wizzard CSRF Protection for PHP</title>
12 <meta name="description"
13 content="Drop-in PHP library that automagically adds CSRF protection to an application." />
14 <meta name="keywords"
15 content="library, security, open source, csrf, cross-site request forgery, protection" />
16 <!-- See news.xhtml for definition -->
17 <link rel="alternate" type="application/rss+xml" title="News for csrf-magic" href="news.rss" />
18 </head>
19 <body>
20 <div id="body">
21 <h1 id="title">csrf-magic</h1>
22 <div id="content">
23 <p>
24 Securing your application against Cross-Site Request Forgery has never been
25 easier. Why rewrite every form on your website when a program can do it for
26 you? Simply drop this at the top of every PHP file:
27 </p>
28 <pre><code>require_once '/path/to/csrf-magic.php';
29 </code></pre>
30 <p>
31 ...and let the magic take care of the rest. <a href="">Download it now!</a>
32 </p>
33 <h2>What is CSRF?</h2>
34 <p>
35 Cross-Site Request Forgery (CSRF) is a relatively new attack vector on
36 websites today. It involves an attacker tricking a browser into performing
37 an action on another website. For example, imagine this scenario. Bob
38 is the human resources manager
39 for a large and important company. He has the ability to hire and fire with
40 a click of a button... specifically, a web form button. Mallory, as a practical
41 joke, decides to setup a CSRF attack against Bob; she crafts a webpage which
42 submits a form onto the internal website that performs hirings and firings; then
43 she sends Bob an email to this webpage. The next day, every employee wakes up
44 to find a rather nasty pink slip in their inbox.
45 </p>
46
47 <h2>Why csrf-magic?</h2>
48 <p>
49 The current standard for preventing CSRF is creating a nonce that every user
50 submits with any form he/she submits. This is reasonably effective, but
51 incredibly tedious work; if you were hand-writing your forms or have multiple
52 avenues for POST data to enter your application, adding CSRF protection may not
53 seem worth the trouble.
54 </p>
55
56 <p>
57 This is where csrf-magic comes into play. csrf-magic uses PHP's output
58 buffering capabilities to dynamically rewrite forms and scripts in your document.
59 It will also intercept POST requests and check their token (various algorithms
60 are used, some generate nonces, some generate user-specific tokens). This means
61 with a traditional website with forms, you can drop it into your application,
62 and forget about it!
63 </p>
64 </div>
65 </div>
66 </body>
67 </html>
Website for csrf-magic