77
88` codemonster-ru/security ` is a set of reusable security components for the Annabel ecosystem:
99
10- - CSRF protection (` VerifyCsrfToken ` ) with a token from POST (` _token ` ) and/or headers (` X-CSRF-TOKEN ` , ` X-XSRF-TOKEN ` )
11- - Rate limiting / brute-force protection (` ThrottleRequests ` ) with a configurable key and storage layer
10+ - CSRF protection (` VerifyCsrfToken ` ) with a token from POST (` _token ` ) and/or headers (` X-CSRF-TOKEN ` , ` X-XSRF-TOKEN ` )
11+ - Rate limiting / brute-force protection (` ThrottleRequests ` ) with a configurable key and storage layer
1212
1313No Laravel/Symfony dependencies. Compatible with ` codemonster-ru/http ` and ` codemonster-ru/session ` .
1414
@@ -89,21 +89,21 @@ By default, CSRF is enabled globally (via `Kernel::addMiddleware`), but throttli
8989
9090` Codemonster\Security\Csrf\VerifyCsrfToken ` :
9191
92- - Skips methods from ` except_methods ` (` GET/HEAD/OPTIONS ` by default)
93- - By default, ** does not validate JSON requests** (if ` Accept: application/json ` ) to avoid breaking the API
94- - Validates the token:
95- - In the body: ` _token ` (configured via ` input_key ` )
96- - Or in the headers: ` X-CSRF-TOKEN ` , ` X-XSRF-TOKEN `
97- - On error, returns ` 419 ` (` application/json ` or ` text/plain ` )
92+ - Skips methods from ` except_methods ` (` GET/HEAD/OPTIONS ` by default)
93+ - By default, ** does not validate JSON requests** (if ` Accept: application/json ` ) to avoid breaking the API
94+ - Validates the token:
95+ - In the body: ` _token ` (configured via ` input_key ` )
96+ - Or in the headers: ` X-CSRF-TOKEN ` , ` X-XSRF-TOKEN `
97+ - On error, returns ` 419 ` (` application/json ` or ` text/plain ` )
9898
9999Security note: if your API uses cookies or other stateful auth, enable ` verify_json ` to protect JSON POST/PUT/PATCH/DELETE requests too.
100100
101101### Helpers
102102
103103The package autoloads helpers:
104104
105- - ` csrf_token(): string `
106- - ` csrf_field(): string ` - ready-to-use ` <input type="hidden" name="_token" ...> `
105+ - ` csrf_token(): string `
106+ - ` csrf_field(): string ` - ready-to-use ` <input type="hidden" name="_token" ...> `
107107
108108Example in the form:
109109
@@ -118,22 +118,22 @@ echo '</form>';
118118
119119` Codemonster\Security\RateLimiting\ThrottleRequests ` :
120120
121- - stores the attempt counter in storage via ` ThrottleStorageInterface `
122- - the package contains at least one implementation: ` SessionThrottleStorage ` (without a database)
123- - for shared storages, prefer atomic increments (implement ` AtomicThrottleStorageInterface ` ) to avoid race conditions
124- - returns ` 429 ` + headers:
125- - ` Retry-After ` (seconds)
126- - ` X-RateLimit-Limit `
127- - ` X-RateLimit-Remaining `
128- - ` RateLimit-Limit `
129- - ` RateLimit-Remaining `
130- - ` RateLimit-Reset ` (unix timestamp)
121+ - stores the attempt counter in storage via ` ThrottleStorageInterface `
122+ - the package contains at least one implementation: ` SessionThrottleStorage ` (without a database)
123+ - for shared storages, prefer atomic increments (implement ` AtomicThrottleStorageInterface ` ) to avoid race conditions
124+ - returns ` 429 ` + headers:
125+ - ` Retry-After ` (seconds)
126+ - ` X-RateLimit-Limit `
127+ - ` X-RateLimit-Remaining `
128+ - ` RateLimit-Limit `
129+ - ` RateLimit-Remaining `
130+ - ` RateLimit-Reset ` (unix timestamp)
131131
132132### Best practices
133133
134- - Enable ` verify_json ` for stateful APIs (cookies, sessions) to avoid CSRF bypasses.
135- - Configure ` trusted_proxies ` when running behind a proxy; otherwise ` X-Forwarded-For ` should be ignored.
136- - Use database or Redis storage in multi-node deployments to avoid per-node limits.
134+ - Enable ` verify_json ` for stateful APIs (cookies, sessions) to avoid CSRF bypasses.
135+ - Configure ` trusted_proxies ` when running behind a proxy; otherwise ` X-Forwarded-For ` should be ignored.
136+ - Use database or Redis storage in multi-node deployments to avoid per-node limits.
137137
138138### Trusted proxies
139139
@@ -246,8 +246,12 @@ composer test
246246
247247Optional E2E env (tests are skipped if not set):
248248
249- - MySQL: ` MYSQL_HOST ` , ` MYSQL_PORT ` , ` MYSQL_DATABASE ` , ` MYSQL_USERNAME ` , ` MYSQL_PASSWORD `
250- - Redis: ` REDIS_HOST ` , ` REDIS_PORT ` , ` REDIS_PASSWORD ` , ` REDIS_DB `
249+ - MySQL: ` MYSQL_HOST ` , ` MYSQL_PORT ` , ` MYSQL_DATABASE ` , ` MYSQL_USERNAME ` , ` MYSQL_PASSWORD `
250+ - Redis: ` REDIS_HOST ` , ` REDIS_PORT ` , ` REDIS_PASSWORD ` , ` REDIS_DB `
251+
252+ ## Author
253+
254+ [ ** Kirill Kolesnikov** ] ( https://github.com/KolesnikovKirill )
251255
252256## License
253257
0 commit comments