Cms: Option to disable CSRF protection for public facing actions

Created on 31 Jan 2017  路  4Comments  路  Source: craftcms/cms

Created by: Tam McDonald ([email protected]) on 2015/07/27 09:48:32 +0000
Votes at time of UserVoice import: 1

It would be great to be able to disable CSRF protection for certain public facing actions; perhaps similar to protected $allowAnonymous.

I've had multiple issues where external services need to post to a callback URL, but have failed due to CSRF (i.e. SagePay, DocuSign). It would be great to be able to be able to disable CSRF for these actions (and not to have to do it awkwardly in general.php).

enhancement
Source
picture angrybrad
👍6

Most helpful comment

Controllers can disable CSRF validation completely by setting $enableCsrfValidation to false:

public $enableCsrfValidation = false;

Or if you just want to disable it for certain actions, override beforeAction():

public beforeAction($action)
{
    if ($action->id === 'save') {
        $this->enableCsrfValidation = false;
    }

    return parent::beforeAction($action);
}

public function actionSave()
{
    // this action won't require CSRF validation
}

@rtrudel whether we should disable CSRF validation for login is a separate discussion; please post as a new issue.

picture brandonkelly on 18 Jun 2019
👍4

All 4 comments

+1 on this, SagePay with Commerce just bombs out if you use CSRF at the moment.

MattWilcox picture MattWilcox on 7 Mar 2017

up and +1 here.

And why not a way to allow 'users/login' (or other auth-related actions) to skip CSRF when used via ajax? I know the login returns the CSRF token, but to get it, you must have a token already along login action, which make no sense on headless development.

rtrudel picture rtrudel on 18 Jun 2019

Controllers can disable CSRF validation completely by setting $enableCsrfValidation to false:

public $enableCsrfValidation = false;

Or if you just want to disable it for certain actions, override beforeAction():

public beforeAction($action)
{
    if ($action->id === 'save') {
        $this->enableCsrfValidation = false;
    }

    return parent::beforeAction($action);
}

public function actionSave()
{
    // this action won't require CSRF validation
}

@rtrudel whether we should disable CSRF validation for login is a separate discussion; please post as a new issue.

brandonkelly picture brandonkelly on 18 Jun 2019
👍4

https://craftcms.stackexchange.com/questions/35449/how-to-overwrite-base-controller-beforeaction-method/35464#35464 is how to go about this specifically

j2is picture j2is on 1 Jun 2020
Was this page helpful?
0 / 5 - 0 ratings

Related issues

benface picture benface  路  3Comments
darylknight picture darylknight  路  3Comments
angrybrad picture angrybrad  路  3Comments
timkelty picture timkelty  路  3Comments
leigeber picture leigeber  路  3Comments