CSRF Protection
Configure CSRF (Cross-Site Request Forgery) protection and trusted proxies for PteroCA.
Overview
CSRF protection is a security measure that prevents unauthorized commands from being transmitted from a user that the application trusts. PteroCA uses Symfony's built-in CSRF protection.
When CSRF Configuration is Needed
You need to configure CSRF settings if:
Using Cloudflare or other CDN in front of your server
Behind a reverse proxy (NGINX proxy, load balancer, etc.)
Experiencing "Invalid CSRF token" errors
Need to disable CSRF for testing/development (not recommended for production)
CSRF with Cloudflare
If your server is behind Cloudflare, you may encounter "Invalid CSRF token" errors. This happens because Symfony needs to recognize Cloudflare as a trusted proxy.
Configure Trusted Proxies
Step 1: Get Cloudflare IP Ranges
Use the official list of Cloudflare IP ranges from Cloudflare Documentation.
Current Cloudflare IPv4 ranges (verify these periodically):
Step 2: Update .env File
Add the TRUSTED_PROXIES variable to your .env file:
Add this line with Cloudflare IP ranges:
For quick testing (less secure), you can use:
Warning: Using 0.0.0.0/0 trusts all IPs and should only be used for testing.
Step 3: Clear Cache
After updating .env, clear the Symfony cache:
Configure Trusted Hosts
To prevent Host header injection attacks, also configure trusted hosts:
Use regex to match your domains:
^example\.com$- Exact match for example.com^.*\.example\.com$- Match all subdomainsSeparate multiple patterns with
|
Example with multiple domains:
Disabling CSRF Protection
For Development Only
In development or testing environments, you may want to disable CSRF protection temporarily:
After updating, clear cache:
Production Warning
Never disable CSRF in production! This creates serious security vulnerabilities:
Users vulnerable to CSRF attacks
Attackers can perform unauthorized actions
Compliance violations (PCI-DSS, GDPR, etc.)
Reverse Proxy Configuration
If using a reverse proxy (NGINX, Apache, HAProxy, etc.), you need to configure trusted proxies.
NGINX Reverse Proxy
If PteroCA is behind NGINX reverse proxy:
NGINX Configuration
PteroCA Configuration
Add proxy server IP to trusted proxies:
Load Balancer
For load balancers, add all load balancer IPs:
Troubleshooting
"Invalid CSRF Token" Errors
Symptom: Forms fail with "Invalid CSRF token" error
Solutions:
Check trusted proxies configuration
Verify Cloudflare IP ranges are current
Check https://www.cloudflare.com/ips/
Update .env if ranges changed
Clear cache after changes
Check session configuration
Verify cookies are being set
Check browser developer tools → Application → Cookies
Look for session cookie
Sessions Not Persisting
Symptom: User logged out frequently, sessions don't persist
Solutions:
Check session lifetime
Verify session storage
Check
var/sessions/directory exists and is writableSet proper permissions:
Check cookie domain
Trusted Host Errors
Error: "Untrusted Host" or "Invalid Host header"
Solutions:
Add domain to TRUSTED_HOSTS
Escape dots in regex
Use
\.not.Example:
example\.comnotexample.com
Test regex pattern
Security Best Practices
Production Environment
Never disable CSRF in production
Use specific IP ranges for trusted proxies
Keep Cloudflare IP ranges updated
Configure trusted hosts
Enable HTTPS only
Monitor security logs
Regular Maintenance
Update Cloudflare IPs quarterly
Cloudflare occasionally adds new IP ranges
Subscribe to Cloudflare announcements
Audit trusted proxies
Review quarterly
Remove unused entries
Verify all IPs are still valid
Test after updates
Test forms after configuration changes
Verify CSRF tokens work
Check session persistence
Advanced Configuration
Custom CSRF Token TTL
Adjust CSRF token lifetime if needed:
Per-Environment Configuration
Use different settings for dev/staging/production:
Related Guides
Trusted Proxies - Detailed proxy configuration
SSL Configuration - HTTPS setup
Web Server Configuration - NGINX/Apache setup
Troubleshooting - Common issues
Last updated