From 68366494aa25d90e392af76a74fa93f7d47f5246 Mon Sep 17 00:00:00 2001
From: Timm Friebe <thekid@thekid.de>
Date: Sun, 29 Oct 2023 12:26:11 +0100
Subject: [PATCH] Use "X-Csrf-Token" as seen @
 https://en.wikipedia.org/wiki/Cross-site_request_forgery

---
 src/main/php/web/frontend/Frontend.class.php               | 2 +-
 src/test/php/web/frontend/unittest/CSRFTokenTest.class.php | 2 +-
 2 files changed, 2 insertions(+), 2 deletions(-)

diff --git a/src/main/php/web/frontend/Frontend.class.php b/src/main/php/web/frontend/Frontend.class.php
index 7d1c61d..0c03ba3 100755
--- a/src/main/php/web/frontend/Frontend.class.php
+++ b/src/main/php/web/frontend/Frontend.class.php
@@ -87,7 +87,7 @@ private function view($req, $res, $delegate, $matches= []) {
     }
 
     // Verify CSRF token for anything which is not a GET or HEAD request
-    $token= $req->param('token') ?? $req->header('X-CSRF-Token');
+    $token= $req->param('token') ?? $req->header('X-Csrf-Token');
     if (!isset($CSRF_EXEMPT[strtolower($req->method())]) && $req->value('token') !== $token) {
       return $this->errors()->handle(new Error(403, 'Incorrect CSRF token for '.$delegate->name()));
     }
diff --git a/src/test/php/web/frontend/unittest/CSRFTokenTest.class.php b/src/test/php/web/frontend/unittest/CSRFTokenTest.class.php
index 035aa2c..9567957 100755
--- a/src/test/php/web/frontend/unittest/CSRFTokenTest.class.php
+++ b/src/test/php/web/frontend/unittest/CSRFTokenTest.class.php
@@ -44,7 +44,7 @@ public function validated_as_part_of_payload() {
 
   #[Test]
   public function validated_as_header() {
-    $this->execute('POST', '/users', 'username=test', ['X-CSRF-Token' => self::TOKEN]);
+    $this->execute('POST', '/users', 'username=test', ['X-Csrf-Token' => self::TOKEN]);
   }
 
   #[Test]