I'm learning how to handle CSRF in Phalcon and I want to automate the process so that I don't need to add this to every controller/action. I guess all my forms that POST (does this handle PUT, DELETE too) will need to have the hidden field, that should be OK. Is this a good approach:
<?php
use Phalcon\Mvc\Controller;
class ControllerBase extends Controller
{
public function beforeExecuteRoute()
{
// csrf check
if ($this->request->isPost()) {
if (! $this->security->checkToken()) {
throw new \Exception('Invalid security token');
}
}
}
}
.. so just before action being invoked, it will check if it is a POST and if the token is valid.