Upgrade Security

Documentations

Note

If you use the form helper and enable the CSRF filter globally, then form_open() will automatically insert a hidden CSRF field in your forms. So you do not have to upgrade this by yourself.

What has been changed

  • The method to implement CSRF tokens to html forms has been changed.

Upgrade Guide

  1. To enable CSRF protection in CI4 you have to enable it in app/Config/Filters.php:

    <?php
    
    namespace Config;
    
    use CodeIgniter\Config\BaseConfig;
    
    class Filters extends BaseConfig
    {
        // ...
    
        public $globals = [
            'before' => [
                // 'honeypot',
                'csrf',
            ],
        ];
        // ...
    }
    
  2. Within your HTML forms you have to remove the CSRF input field which looks similar to <input type="hidden" name="<?= $csrf['name'] ?>" value="<?= $csrf['hash'] ?>" />.

  3. Now, within your HTML forms you have to add <?= csrf_field() ?> somewhere in the form body, unless you are using form_open().

Code Example

CodeIgniter Version 3.x

<?php

$csrf = array(
    'name' => $this->security->get_csrf_token_name(),
    'hash' => $this->security->get_csrf_hash()
);

?>

<form>
    <input name="name" type="text">
    <input name="email" type="text">
    <input name="password" type="password">

    <input type="hidden" name="<?= $csrf['name'] ?>" value="<?= $csrf['hash'] ?>" />
    <input type="submit" value="Save">
</form>

CodeIgniter Version 4.x

<form>
    <input name="name" type="text">
    <input name="email" type="text">
    <input name="password" type="password">

    <?= csrf_field() ?>
    <input type="submit" value="Save">
</form>