Implement CSRF protection in contact form: Added session management and CSRF token validation to enhance security. Updated AJAX response handling in JavaScript to reset button state after submission.

2026-01-06 21:49:24 +01:00
parent a6aab5208d
commit 385baf2db7
3 changed files with 29 additions and 0 deletions
--- a/public/contact-handler.php
+++ b/public/contact-handler.php
@@ -4,12 +4,22 @@
 * E-Mail-Verarbeitung mit SMTP-Integration und Spam-Schutz
 */

+// Session starten für CSRF-Validierung
+if (session_status() === PHP_SESSION_NONE) {
+    session_start();
+}
+
 // Konfiguration laden
 require_once 'config.php';

 // Konfiguration verwenden
 $config = getHexaHostConfig();

+// CSRF-Token validieren
+function validateCSRFToken($token) {
+    return isset($_SESSION['csrf_token']) && hash_equals($_SESSION['csrf_token'], $token);
+}
+
 // CORS Headers für AJAX-Requests
 header('Access-Control-Allow-Origin: *');
 header('Access-Control-Allow-Methods: POST');
@@ -329,6 +339,16 @@ function generateEmailText($data) {

 // Hauptverarbeitung
 try {
+    // CSRF-Token validieren
+    if (empty($_POST['csrf_token']) || !validateCSRFToken($_POST['csrf_token'])) {
+        http_response_code(403);
+        echo json_encode([
+            'success' => false, 
+            'message' => 'Ungültige Sitzung. Bitte laden Sie die Seite neu und versuchen Sie es erneut.'
+        ]);
+        exit;
+    }
+    
    // Rate Limiting Check
    $client_ip = $_SERVER['REMOTE_ADDR'];
    if (!checkRateLimit($client_ip)) {