In this episode, we dive into what Cross-Site Request Forgery (CSRF) actually is, why it's so important to protect against it, and how to set up CSRF protection in our application. We start off by looking at how forms can be vulnerable to CSRF attacks, especially for sensitive actions like deleting data or logging out users, and why simply using POST requests isn’t enough to stop attacks.
To protect our routes, we integrate a CSRF middleware using the Slim PHP framework. You'll see how to pull the package in with Composer, set up a new CSRF Service Provider, and wire it into the app’s container and configuration. We also cover how to apply this middleware to your routes, either globally or to specific ones, so any unsafe requests without the correct token get blocked.
Together, we hop into the guard class from the package to explore how the middleware actually checks tokens, when it runs, and why GET requests are unaffected. You'll see how failed CSRF checks are handled, and a quick mention that we'll customize this in the future for nicer error messages.
By the end of this episode, CSRF protection will be live in your app. Up next, we’ll focus on generating and using tokens in your forms so the protection works smoothly for your users.