Blog

The 12 Modules of (ForgeBox) Christmas — Day 9 — verify-csrf-interceptor

12 Modules of (ForgeBox) Christmas, ColdBox MVC, CommandBox, ForgeBox, Modules
Eric Peterson December 22, 2017

Spread the word

Eric Peterson

December 22, 2017

Spread the word

Share your thoughts

Ortus Solutions
I love modules that help me do the right thing in my code, especially when I often forget to do something. Today's module is very straight-forward — [verify-csrf-interceptor](https://www.forgebox.io/view/verify-csrf-interceptor) — an interceptor that will automatically check for CSRF tokens for all non-GET requests to help protect against [cross-site request forgery.](https://www.owasp.org/index.php/Cross-Site_Request_Forgery_(CSRF))

verify-csrf-interceptor

To mitigate CSRF attacks, CFML has two built-in methods to handle CSRF tokens — csrfGenerateToken and csrfVerifyToken. You should include a generate token in any form submission in your application and verify it in your handlers or controllers.

It's very easy to miss this, though, because you have to wire up both the token generation in the form and the token verification in the handler. This interceptor takes care of the token verification.

It's such a short function, let's take a look at it in its entirety here:

/**
* Verifies the CSRF token on all non-GET requests
*/
component extends="coldbox.system.Interceptor"{
    
    public void function configure() {}

    public void function preEvent( event, interceptData ) {
        if ( event.getHTTPMethod() == "GET" ) {
            return;
        }

        if ( actionMarkedToSkip( event, interceptData ) ) {
            return;
        }

        if ( ! event.valueExists( "_token" ) ) {
            throw(
                type = "TokenMismatchException",
                message = "The CSRF token was not included."
            );
        }

        if ( ! CSRFVerifyToken( event.getValue( "_token" ) ) ) {
            throw(
                type = "TokenMismatchException",
                message = "The CSRF token is invalid."
            );
        }
    }

    private boolean function actionMarkedToSkip(
        required event,
        required struct interceptData
    ) {
        var handler = getController()
            .getHandlerService()
            .getRegisteredHandler( interceptData.processedEvent );

        var md = getComponentMetadata(
            "#handler.getInvocationPath()#.#handler.getHandler()#"
        );

        var funcs = arrayFilter( md.functions, function( func ) {
            return func.name == handler.getMethod();
        } );

        if ( NOT arrayIsEmpty( funcs ) ) {
            if ( structKeyExists( funcs[1], "skipCSRFCheck" ) ) {
                return true;
            }
        }

        return false;
    }
    
}

Wrap Up

Protect yourself from simple omissions like forgetting to generate and verify CSRF tokens — install verify-csrf-interceptor today and it will start verifying for you with no further configuration. That's the power of ColdBox modules!

Add Your Comment

Recent Entries

BoxLang v1.8.0 : Revolutionary HTTP Client, SOAP Integration, and Production-Grade Stability

BoxLang v1.8.0 : Revolutionary HTTP Client, SOAP Integration, and Production-Grade Stability

The BoxLang team is excited to announce BoxLang 1.8.0, a massive release that revolutionizes HTTP capabilities, introduces comprehensive SOAP/WSDL integration, and delivers over 100 critical bug fixes for production-grade stability. This release focuses on modern web application development with fluent APIs, streaming support, persistent connection management, and extensive CFML compatibility improvements.

Luis Majano
Luis Majano
December 05, 2025
Ortus & BoxLang November Recap 2025

Ortus & BoxLang November Recap 2025

November 2025 was a big month at Ortus. BoxLang 1.7.0 arrived with real-time streaming, distributed caching, and faster compiler internals. ColdBox gained a cleaner debugging experience with full Whoops support, while CBWIRE 5 launched with stronger security, smarter lifecycles, and easier uploads.

Victor Campos
Victor Campos
December 02, 2025
Thanksgiving Week Extended + Cyber Monday Deals Are Live!

Thanksgiving Week Extended + Cyber Monday Deals Are Live!

Because you asked; we’re extending the Thanksgiving Week offer and officially launching our Cyber Monday BoxLang Deals today!

To support everyone who wants to understand whether they’re running on legacy CFML or modern-ready code, and whether BoxLang is the right fit; we’ve decided to extend the dates and increase the number of companies we can support.

Maria Jose Herrera
Maria Jose Herrera
December 01, 2025