CSRF Protection

Configure CSRF (Cross-Site Request Forgery) protection and trusted proxies for PteroCA.

Overview

CSRF protection is a security measure that prevents unauthorized commands from being transmitted from a user that the application trusts. PteroCA uses Symfony's built-in CSRF protection.

When CSRF Configuration is Needed

You need to configure CSRF settings if:

Using Cloudflare or other CDN in front of your server
Behind a reverse proxy (NGINX proxy, load balancer, etc.)
Experiencing "Invalid CSRF token" errors
Need to disable CSRF for testing/development (not recommended for production)

CSRF with Cloudflare

If your server is behind Cloudflare, you may encounter "Invalid CSRF token" errors. This happens because Symfony needs to recognize Cloudflare as a trusted proxy.

Configure Trusted Proxies

Step 1: Get Cloudflare IP Ranges

Use the official list of Cloudflare IP ranges from Cloudflare Documentation.

Current Cloudflare IPv4 ranges (verify these periodically):

173.245.48.0/20
103.21.244.0/22
103.22.200.0/22
103.31.4.0/22
141.101.64.0/18
108.162.192.0/18
190.93.240.0/20
188.114.96.0/20
197.234.240.0/22
198.41.128.0/17
162.158.0/15
104.16.0.0/13
104.24.0.0/14
172.64.0.0/13
131.0.72.0/22

Step 2: Update .env File

Add the TRUSTED_PROXIES variable to your .env file:

# Edit .env file
nano /var/www/pteroca/.env

Add this line with Cloudflare IP ranges:

TRUSTED_PROXIES=173.245.48.0/20,103.21.244.0/22,103.22.200.0/22,103.31.4.0/22,141.101.64.0/18,108.162.192.0/18,190.93.240.0/20,188.114.96.0/20,197.234.240.0/22,198.41.128.0/17,162.158.0/15,104.16.0.0/13,104.24.0.0/14,172.64.0.0/13,131.0.72.0/22

For quick testing (less secure), you can use:

TRUSTED_PROXIES=0.0.0.0/0

Warning: Using 0.0.0.0/0 trusts all IPs and should only be used for testing.

Step 3: Clear Cache

After updating .env, clear the Symfony cache:

cd /var/www/pteroca
php bin/console cache:clear

Configure Trusted Hosts

To prevent Host header injection attacks, also configure trusted hosts:

# Add to .env file
TRUSTED_HOSTS=^example\.com$|^www\.example\.com$

Use regex to match your domains:

^example\.com$ - Exact match for example.com
^.*\.example\.com$ - Match all subdomains
Separate multiple patterns with |

Example with multiple domains:

TRUSTED_HOSTS=^panel\.example\.com$|^panel\.backup\.com$

Disabling CSRF Protection

For Development Only

In development or testing environments, you may want to disable CSRF protection temporarily:

# Add to .env file
DISABLE_CSRF=true

After updating, clear cache:

php bin/console cache:clear

Production Warning

Never disable CSRF in production! This creates serious security vulnerabilities:

Users vulnerable to CSRF attacks
Attackers can perform unauthorized actions
Compliance violations (PCI-DSS, GDPR, etc.)

Reverse Proxy Configuration

If using a reverse proxy (NGINX, Apache, HAProxy, etc.), you need to configure trusted proxies.

NGINX Reverse Proxy

If PteroCA is behind NGINX reverse proxy:

NGINX Configuration

location / {
    proxy_pass http://pteroca_backend;
    proxy_set_header Host $host;
    proxy_set_header X-Real-IP $remote_addr;
    proxy_set_header X-Forwarded-For $proxy_add_x_forwarded_for;
    proxy_set_header X-Forwarded-Proto $scheme;
}

PteroCA Configuration

Add proxy server IP to trusted proxies:

# If proxy is on same server
TRUSTED_PROXIES=127.0.0.1

# If proxy is on different server
TRUSTED_PROXIES=192.168.1.100

# Multiple proxies
TRUSTED_PROXIES=127.0.0.1,192.168.1.100

Load Balancer

For load balancers, add all load balancer IPs:

# Multiple load balancer IPs
TRUSTED_PROXIES=10.0.1.10,10.0.1.11,10.0.1.12

Troubleshooting

"Invalid CSRF Token" Errors

Symptom: Forms fail with "Invalid CSRF token" error

Solutions:

Check trusted proxies configuration
```
cat .env | grep TRUSTED_PROXIES
```
Verify Cloudflare IP ranges are current
- Check https://www.cloudflare.com/ips/
- Update .env if ranges changed
Clear cache after changes
```
php bin/console cache:clear
```
Check session configuration
```
cat .env | grep SESSION
```
Verify cookies are being set
- Check browser developer tools → Application → Cookies
- Look for session cookie

Sessions Not Persisting

Symptom: User logged out frequently, sessions don't persist

Solutions:

Check session lifetime

# Add to .env
SESSION_TIMEOUT=3600  # 1 hour in seconds

Verify session storage
- Check var/sessions/ directory exists and is writable
- Set proper permissions:
  chmod 755 var/sessions chown www-data:www-data var/sessions

Check cookie domain

# Add to .env if needed
COOKIE_DOMAIN=.example.com  # Note the leading dot for subdomains

Trusted Host Errors

Error: "Untrusted Host" or "Invalid Host header"

Solutions:

Add domain to TRUSTED_HOSTS

TRUSTED_HOSTS=^example\.com$|^www\.example\.com$

Escape dots in regex
- Use \. not .
- Example: example\.com not example.com

Test regex pattern

# Use PHP to test
php -r "preg_match('/^example\.com$/', 'example.com') ? print 'Match' : print 'No match';"

Security Best Practices

Production Environment

Never disable CSRF in production
Use specific IP ranges for trusted proxies
Keep Cloudflare IP ranges updated
Configure trusted hosts
Enable HTTPS only
Monitor security logs

Regular Maintenance

Update Cloudflare IPs quarterly
- Cloudflare occasionally adds new IP ranges
- Subscribe to Cloudflare announcements
Audit trusted proxies
- Review quarterly
- Remove unused entries
- Verify all IPs are still valid
Test after updates
- Test forms after configuration changes
- Verify CSRF tokens work
- Check session persistence

Advanced Configuration

Custom CSRF Token TTL

Adjust CSRF token lifetime if needed:

# config/packages/security.yaml
framework:
    csrf_protection:
        token_ttl: 3600  # 1 hour

Per-Environment Configuration

Use different settings for dev/staging/production:

# .env.local (not committed to git)
TRUSTED_PROXIES=127.0.0.1
DISABLE_CSRF=true  # Dev only!

# .env.production (production only)
TRUSTED_PROXIES=173.245.48.0/20,...
DISABLE_CSRF=false

Trusted Proxies - Detailed proxy configuration
SSL Configuration - HTTPS setup
Web Server Configuration - NGINX/Apache setup
Troubleshooting - Common issues

PreviousSSL Configuration NextTrusted Proxies

Last updated 1 month ago

hashtagOverview

hashtagWhen CSRF Configuration is Needed

hashtagCSRF with Cloudflare

hashtagConfigure Trusted Proxies

hashtagStep 1: Get Cloudflare IP Ranges

hashtagStep 2: Update .env File

hashtagStep 3: Clear Cache

hashtagConfigure Trusted Hosts

hashtagDisabling CSRF Protection

hashtagFor Development Only

hashtagProduction Warning

hashtagReverse Proxy Configuration

hashtagNGINX Reverse Proxy

hashtagNGINX Configuration

hashtagPteroCA Configuration

hashtagLoad Balancer

hashtagTroubleshooting

hashtag"Invalid CSRF Token" Errors

hashtagSessions Not Persisting

hashtagTrusted Host Errors

hashtagSecurity Best Practices

hashtagProduction Environment

hashtagRegular Maintenance

hashtagAdvanced Configuration

hashtagCustom CSRF Token TTL

hashtagPer-Environment Configuration

hashtagRelated Guides

Overview

When CSRF Configuration is Needed

CSRF with Cloudflare

Configure Trusted Proxies

Step 1: Get Cloudflare IP Ranges

Step 2: Update .env File

Step 3: Clear Cache

Configure Trusted Hosts

Disabling CSRF Protection

For Development Only

Production Warning

Reverse Proxy Configuration

NGINX Reverse Proxy

NGINX Configuration

PteroCA Configuration

Load Balancer

Troubleshooting

"Invalid CSRF Token" Errors

Sessions Not Persisting

Trusted Host Errors

Security Best Practices

Production Environment

Regular Maintenance

Advanced Configuration

Custom CSRF Token TTL

Per-Environment Configuration

Related Guides