Add CSRF protections to state-changing endpoints

2025-03-18 11:46:23 -04:00
parent f709c23bcc
commit d23cefa8a9
23 changed files with 239 additions and 79 deletions
--- a/deleteFolder.php
+++ b/deleteFolder.php
@@ -15,6 +15,15 @@ if ($_SERVER['REQUEST_METHOD'] !== 'POST') {
    exit;
 }

+$headers = array_change_key_case(getallheaders(), CASE_LOWER);
+$receivedToken = isset($headers['x-csrf-token']) ? trim($headers['x-csrf-token']) : '';
+
+if ($receivedToken !== $_SESSION['csrf_token']) {
+    echo json_encode(['success' => false, 'error' => 'Invalid CSRF token.']);
+    http_response_code(403);
+    exit;
+}
+
 // Get the JSON input and decode it
 $input = json_decode(file_get_contents('php://input'), true);
 if (!isset($input['folder'])) {