NAME CGI::Application::Plugin::ProtectCSRF - Plug-in protected from CSRF VERSION 0.02 SYSNPSIS use Your::App; use CGI::Application::Plugin::Session; # require!! use CGI::Application::Plugin::ProtectCSRF; DESCRIPTION CGI::Application::Plugin::ProtectCSRF is C::A::P protected from CSRF. When CSRF is detected, 403 Forbidden is returned and processing is interrupted. METHOD add_postonly_runmodes Runmodes set to runmodes returns add_postonly_runmodes "Forbidden" excluding POST Request. Example : sub setup { # or cgiapp_init my $self = shift; .... # When requests other than POST come to mode1, mode2, and mode3, Forbidden is # returned. $self->add_postonly_runmodes(qw(mode1 mode2 mode3)); } delete_postonly_runmodes To cancel runmode set with add_postonly_runmodes, it executes it. Example : $self->delete_postonly_runmodes(qw(mode1 mode2 mode3)); clear_csrfid Clear csrfid. It is preferable to make it execute after processing ends. Input screen => confirmation screen => completion screen(here!!) Example : sub input { my $self = shift; .... } sub confirm { my $self = shift; .... } sub complete { my $self = shift; ...process start(DB insert etc..) $self->clear_csrfid; .... } is_post_request Check request method.If request method is POST, 1 is returned. Example : my $post_flag; if($self->is_post_request){ # $self->query->request_method or $ENV{REQUEST_METHOD} is POST }else{ # not POST } CAUTION It has only the protection function of basic CSRF,and mount other security checks in the application, please. SEE ALSO Carp CGI::Application CGI::Application::Plugin::Session Exporter Digest::SHA1 HTML::TokeParser List::Util AUTHOR Akira Horimoto COPYRIGHT Copyright (C) 2006 Akira Horimoto This module is free software; you can redistribute it and/or modify it under the same terms as Perl itself.