For the specific controller / actions you can disable CSRF validation like so: use Yii; … Yii::$app->controller->enableCsrfValidation = false; Or inside a controller: $this->enableCsrfValidation = false; Take a look at $enableCsrfValidation property of yii\web\Controller. Update: Here is some specification. If you want to disable CSRF validation for individual action(s) you need to do it in … Read more
Is there any reason why I cannot include the string to hash as part of the request as well? CSRF tokens have two parts. The token embedded in the form, and a corresponding token somewhere else, be it in a cookie, stored in a session or elsewhere. This use of elsewhere stops a page being … Read more
Cross-Site Request Forgery (CSRF) in simple words Assume you are currently logged into your online banking at www.mybank.com Assume a money transfer from mybank.com will result in a request of (conceptually) the form http://www.mybank.com/transfer?to=<SomeAccountnumber>;amount=<SomeAmount>. (Your account number is not needed, because it is implied by your login.) You visit www.cute-cat-pictures.org, not knowing that it is … Read more