We have moved our forum to GitHub Discussions. For questions about Phalcon v3/v4/v5 you can visit here and for Phalcon v6 here.

Is beforeExecuteRoute a good place to put CSRF checking?

I'm learning how to handle CSRF in Phalcon and I want to automate the process so that I don't need to add this to every controller/action. I guess all my forms that POST (does this handle PUT, DELETE too) will need to have the hidden field, that should be OK. Is this a good approach:

<?php

use Phalcon\Mvc\Controller;

class ControllerBase extends Controller
{
    public function beforeExecuteRoute()
    {
        // csrf check
        if ($this->request->isPost()) {
            if (! $this->security->checkToken()) {
                throw new \Exception('Invalid security token');
            }
        }
    }
}

.. so just before action being invoked, it will check if it is a POST and if the token is valid.

I think that's a good place to put it - as an invalid CSRF token is pretty much a kill-switch for the request.