Whitelisting CodeIgniter URLS from CSRF

CodeIgniter is a PHP framework we use heavily here at Voltamp Media. When CI2.x was released, it had support for Cross Site Request Forgery prevention. The problem was it was an all or nothing feature. This is fine when POST data originates in forms. However, it is a game stopper for API functionality. Here is how we updated the framework to support URI whitelisting.

First, in the application/config/config.php file, add this line to the CSRF section:

$config['csrf_exclude_uris'] = array('controller1','controller2','controller3/method1','controller3/method2');

Then I extended the CI Security library file. Here is a link to my Github fork.

Let me know if you use it!

Leave a Reply

Your email address will not be published. Required fields are marked *