Blog

Eric Peterson

December 22, 2017

Spread the word


Share your thoughts

I love modules that help me do the right thing in my code, especially when I often forget to do something. Today's module is very straight-forward — [verify-csrf-interceptor](https://www.forgebox.io/view/verify-csrf-interceptor) — an interceptor that will automatically check for CSRF tokens for all non-GET requests to help protect against [cross-site request forgery.](https://www.owasp.org/index.php/Cross-Site_Request_Forgery_(CSRF))

verify-csrf-interceptor

To mitigate CSRF attacks, CFML has two built-in methods to handle CSRF tokens — csrfGenerateToken and csrfVerifyToken. You should include a generate token in any form submission in your application and verify it in your handlers or controllers.

It's very easy to miss this, though, because you have to wire up both the token generation in the form and the token verification in the handler. This interceptor takes care of the token verification.

It's such a short function, let's take a look at it in its entirety here:

/**
* Verifies the CSRF token on all non-GET requests
*/
component extends="coldbox.system.Interceptor"{
    
    public void function configure() {}

    public void function preEvent( event, interceptData ) {
        if ( event.getHTTPMethod() == "GET" ) {
            return;
        }

        if ( actionMarkedToSkip( event, interceptData ) ) {
            return;
        }

        if ( ! event.valueExists( "_token" ) ) {
            throw(
                type = "TokenMismatchException",
                message = "The CSRF token was not included."
            );
        }

        if ( ! CSRFVerifyToken( event.getValue( "_token" ) ) ) {
            throw(
                type = "TokenMismatchException",
                message = "The CSRF token is invalid."
            );
        }
    }

    private boolean function actionMarkedToSkip(
        required event,
        required struct interceptData
    ) {
        var handler = getController()
            .getHandlerService()
            .getRegisteredHandler( interceptData.processedEvent );

        var md = getComponentMetadata(
            "#handler.getInvocationPath()#.#handler.getHandler()#"
        );

        var funcs = arrayFilter( md.functions, function( func ) {
            return func.name == handler.getMethod();
        } );

        if ( NOT arrayIsEmpty( funcs ) ) {
            if ( structKeyExists( funcs[1], "skipCSRFCheck" ) ) {
                return true;
            }
        }

        return false;
    }
    
}

Wrap Up

Protect yourself from simple omissions like forgetting to generate and verify CSRF tokens — install verify-csrf-interceptor today and it will start verifying for you with no further configuration. That's the power of ColdBox modules!

Add Your Comment

Recent Entries

BoxLang Jsoup: Powerful HTML Parsing, Cleaning and Fluent Navigation

BoxLang Jsoup: Powerful HTML Parsing, Cleaning and Fluent Navigation

We're excited to announce the release of bx-jsoup, a powerful new BoxLang module that brings enterprise-grade HTML parsing and cleaning capabilities to your applications. Built on top of the proven Jsoup library, this module provides developers with safe, flexible tools for handling HTML content while maintaining BoxLang's signature ease of use. It also enhances the core document classes to provide you with a fluent BoxDocument result that you can navigate, query, and even convert your HTML representation to XML or JSON.

Luis Majano
Luis Majano
July 15, 2025
CBWire: Smarter UIs, Simpler Development!

CBWire: Smarter UIs, Simpler Development!

CBWire isn’t just a productivity boost, it’s a shift in how we think about building modern web apps in CFML. It empowers developers to create rich, responsive interfaces while keeping development clean, fast, and focused on what matters.

If you’re building ColdBox applications and want to streamline your front-end work, CBWire is one of the most impactful tools you can add to your stack.

Maria Jose Herrera
Maria Jose Herrera
July 14, 2025
Ortus Monthly Digest: June 2025

Ortus Monthly Digest: June 2025

June was a transformative month at Ortus Solutions as we crossed the halfway point of the year. With major product updates, powerful community engagements, and continued improvements across the BoxLang ecosystem, our mission to modernize development and empower engineers took center stage. Whether you're a longtime member of the Ortus community or just joining us, here's everything we accomplished in June packed with announcements, tools, and opportunities to grow.

Victor Campos
Victor Campos
July 08, 2025