0

I am building a web form in PHP, is just for the user to request information about my services or send comments, so I don‘t need the user to be logged with a username and a password, no databse. I have the validation and sanitation scripts already for the server side.

I just want to make sure that the form is sent from the same domain and not manipulated in HTML or JS, a cookie with 'httpOnly' parameter would be enough? and a csrf token too? I don‘t need to set $_SESSION, right?

So, if the contact page could be the target of attacks, the headers of csrf or cookies should be ONLY in that page, that could be called “contact.php”? The other pages may no need it because are purely informative.

Before I read about HTTP_REFER but looks like deprecated. PHP manual doesn‘t mention it conssistenly. Orientation, please.

limakid
  • 1
  • 1

1 Answers1

0

Client-side protection isn't protection at all, it's just convenience. And a form is just a HTTP transaction, the server does not care and cannot know if what sent the transaction was your form, a browser extension, a custom javascript, or someone using curl. Using $_SESSION or not does not change anything at all.

HTTP Referer is client-controlled data, it cannot be trusted. Cookies cannot be trusted, and CSRF tags protect you against CSRF, and it does not look like your page need CSRF protection.

If your contact page is target for attacks, the best protection is a Captcha. It can stop bots and delay human attackers.

ThoriumBR
  • 50,648
  • 13
  • 127
  • 142