Categories:

12 Days of Christmas - ITB 2022 Video Release (12) 12 Modules of (ForgeBox) Christmas (12) 12 Tips of (CommandBox) Christmas (24) 12 Tips of (ContentBox) Christmas (24) Adobe (5) Books (4) BoxLang (34) BoxLife (0) CacheBox (75) CFBuilder (23) CFCasts (19) CFConfig (7) CFCouchbase (10) Cloud (16) ColdBox Connection (31) ColdBox MVC (0) ColdBox MVC (0) ColdBox MVC (0) ColdBox MVC (0) ColdBox MVC (997) ColdFusion (152) CommandBox (203) Community (338) Conferences (129) ContentBox CMS (167) Couchbase (19) Customers (5) DataBoss (16) DocBox (0) Docker (18) Eclipse (11) Elixir (6) Events (105) ForgeBox (69) FuseGuard (3) FusionReactor (4) Hosting (5) IDE (4) Interceptors (13) Into The Box (67) Ionic (2) Jobs (3) Legacy (7) Live Streams (7) LogBox (58) Lucee (25) Lucee Extensions (23) Modules (95) News (742) OpenSource (39) ORM (13) Ortus Developer Week (13) Ortus PDF (0) Ortus University (2) Patches (2) Patreons (7) Plugins (28) Podcasts (26) Presentations (70) ProfileBox (6) qb (1) Quick (5) Redis (9) Relax (8) Releases (495) REST (22) RoadShow (31) Sample Apps (15) Security (9) Software Craftmanship (5) TestBox (88) Testimonials (0) Training (191) Tutorials (370) Upcoming Events (8) Vue.js (4) Widgets (4) WireBox (71)

Archives:

The 12 Modules of (ForgeBox) Christmas — Day 9 — verify-csrf-interceptor

12 Modules of (ForgeBox) Christmas, ColdBox MVC, CommandBox, ForgeBox, Modules

Eric Peterson December 22, 2017

Spread the word

Eric Peterson

December 22, 2017

Spread the word

Share your thoughts

I love modules that help me do the right thing in my code, especially when I often forget to do something. Today's module is very straight-forward — [verify-csrf-interceptor](https://www.forgebox.io/view/verify-csrf-interceptor) — an interceptor that will automatically check for CSRF tokens for all non-GET requests to help protect against [cross-site request forgery.](https://www.owasp.org/index.php/Cross-Site_Request_Forgery_(CSRF))

verify-csrf-interceptor

To mitigate CSRF attacks, CFML has two built-in methods to handle CSRF tokens — csrfGenerateToken and csrfVerifyToken. You should include a generate token in any form submission in your application and verify it in your handlers or controllers.

It's very easy to miss this, though, because you have to wire up both the token generation in the form and the token verification in the handler. This interceptor takes care of the token verification.

It's such a short function, let's take a look at it in its entirety here:

        
          
          
              
              /**
* Verifies the CSRF token on all non-GET requests
*/
component extends="coldbox.system.Interceptor"{
     
    public void function configure() {}
 
    public void function preEvent( event, interceptData ) {
        if ( event.getHTTPMethod() == "GET" ) {
            return;
        }
 
        if ( actionMarkedToSkip( event, interceptData ) ) {
            return;
        }
 
        if ( ! event.valueExists( "_token" ) ) {
            throw(
                type = "TokenMismatchException",
                message = "The CSRF token was not included."
            );
        }
 
        if ( ! CSRFVerifyToken( event.getValue( "_token" ) ) ) {
            throw(
                type = "TokenMismatchException",
                message = "The CSRF token is invalid."
            );
        }
    }
 
    private boolean function actionMarkedToSkip(
        required event,
        required struct interceptData
    ) {
        var handler = getController()
            .getHandlerService()
            .getRegisteredHandler( interceptData.processedEvent );
 
        var md = getComponentMetadata(
            "#handler.getInvocationPath()#.#handler.getHandler()#"
        );
 
        var funcs = arrayFilter( md.functions, function( func ) {
            return func.name == handler.getMethod();
        } );
 
        if ( NOT arrayIsEmpty( funcs ) ) {
            if ( structKeyExists( funcs[1], "skipCSRFCheck" ) ) {
                return true;
            }
        }
 
        return false;
    }
     
}

            

        
      

Wrap Up

Protect yourself from simple omissions like forgetting to generate and verify CSRF tokens — install verify-csrf-interceptor today and it will start verifying for you with no further configuration. That's the power of ColdBox modules!

Add Your Comment

Into the Box 2025 Virtual Tickets Are Now LIVE!

The wait is over! By popular demand, Into the Box 2025 virtual tickets are officially available! Secure your spot today and take advantage of our exclusive early bird pricing before it’s gone!

We’re bringing the community together to push the boundaries of modern development—because change starts with us. We’ve taken the first step, now it’s your turn to evolve and take action!

Maria Jose Herrera

April 03, 2025

Security Red Flags in Your ColdFusion App (and how to fix them!)

Security breaches can lead to data leaks, legal issues, and irreversible damage to your company's reputation. Many ColdFusion applications—especially older ones—are vulnerable to cyber threats due to outdated code, weak authentication, and improper security configurations.

When was the last time you audited your ColdFusion application for security risks? If you’re unsure, it’s time for a professional security review.

Top ColdFusion Security Risks – Are You Expose...

Cristobal Escobar

Cristobal Escobar
April 03, 2025

BoxLang 1.0.0 RC3 Has Landed!

We are thrilled to announce the release of BoxLang 1.0.0-RC.3, marking a significant milestone in the development of our dynamic JVM language. This release brings a major performance boost and over 100 bug fixes and improvements, making it our most robust release to date. We are now entering the final stretch towards our full release on May 1st, and we need your help to ensure everything is in perfect shape. Please test your applications and report any issues.

Luis Majano

Luis Majano
April 03, 2025

Blog