Trongate Docs
switch to dark modeswitch to dark mode
CSRF Protection

CSRF Protection

Cross-site request forgery is a type of attack that involves variables being posted to an endpoint from a third party website.  Trongate has a built-in mechanism for preventing cross-site request forgery.  This mechanism involves having a hidden form field, named 'csrf_token', added to your forms.  The hidden form field would contain a token that has been generated by the framework and the framework would check the token automatically, upon form submission, to guarantee that the user has not submitted values from a third-party website or application.

How To Activate Automatic CSRF Protection

To activate automatic CSRF Protection:

  • use the form_close() method to close your form(s)
  • make sure your form submit button has a name of 'submit'

Carrying out the two steps above will activate and enable CSRF protection on your forms.

Just To Let You Know
This feature was added in Trongate version 1.3.3030.  For users who have been or are on earlier versions of Trongate, simply update your engine folder to the latest version.  If your forms comply with the two steps outlined above then CSRF protection will be applied without you having to change or update any of your modules.


If you have a question or a comment relating to anything you've see here, please goto the Help Bar.