Skip to main content

Remediation Steps

Follow the steps below to remediate this finding on Generic / Developer guidance.

  1. Add a per-session, per-form CSRF token to every state-changing HTML form and validate it server-side.

  2. Generation example (PHP):

    $token = bin2hex(random_bytes(32));
$_SESSION['csrf_token'] = $token;

  3. Form field:

  4. <input type="hidden" name="csrf_token" value="<?= htmlspecialchars($token) ?>">

  5. Validation:

  6. if (!hash_equals($_SESSION['csrf_token'], $_POST['csrf_token'] ?? '')) {

    http_response_code(403);
exit('CSRF validation failed');
}

  7. Use the SameSite=Strict or SameSite=Lax cookie attribute as a complementary defence.

Back to top