Use "X-Csrf-Token" as seen @ https://en.wikipedia.org/wiki/Cross-site…

…_request_forgery
xp-forge · Oct 29, 2023 · 6836649 · 6836649
1 parent b398de7
commit 6836649
Show file tree

Hide file tree

Showing 2 changed files with 2 additions and 2 deletions.
diff --git a/src/main/php/web/frontend/Frontend.class.php b/src/main/php/web/frontend/Frontend.class.php
@@ -87,7 +87,7 @@ private function view($req, $res, $delegate, $matches= []) {
     }
 
     // Verify CSRF token for anything which is not a GET or HEAD request
-    $token= $req->param('token') ?? $req->header('X-CSRF-Token');
+    $token= $req->param('token') ?? $req->header('X-Csrf-Token');
     if (!isset($CSRF_EXEMPT[strtolower($req->method())]) && $req->value('token') !== $token) {
       return $this->errors()->handle(new Error(403, 'Incorrect CSRF token for '.$delegate->name()));
     }

diff --git a/src/test/php/web/frontend/unittest/CSRFTokenTest.class.php b/src/test/php/web/frontend/unittest/CSRFTokenTest.class.php
@@ -44,7 +44,7 @@ public function validated_as_part_of_payload() {
 
   #[Test]
   public function validated_as_header() {
-    $this->execute('POST', '/users', 'username=test', ['X-CSRF-Token' => self::TOKEN]);
+    $this->execute('POST', '/users', 'username=test', ['X-Csrf-Token' => self::TOKEN]);
   }
 
   #[Test]