Passing CSRF token in header not working on NGINX server, as underscores in header are not supported

[JordanRifaey]

@blizzz @akrabat regarding this PR to enable csrf token check in http header: https://github.com/slimphp/Slim-Csrf/pull/175

It seems that the CSRF keys have an underscore in them, and NGINX does not support underscores in headers. Is there any way to customize the csrf keys so we can remove the underscore?

[blizzz]

Ok, so that is what @deployHuman referred to in https://github.com/slimphp/Slim-Csrf/pull/143#issue-1044611332

https://github.com/slimphp/Slim-Csrf/blob/f66be9740283ed4f432535aff3623540e178013a/src/Guard.php#L272 and https://github.com/slimphp/Slim-Csrf/blob/f66be9740283ed4f432535aff3623540e178013a/src/Guard.php#L280 would need to be changed.

[akrabat]

This needs addressing, but as it's a BC break, we'll need to roll a 2.0 for it I think.

Until then, you can add:

underscores_in_headers on

to your nginx config as per https://nginx.org/en/docs/http/ngx_http_core_module.html#underscores_in_headers

[deployHuman]

hehe yeah my first PR got little to no love, i think i was too bad at describing what problem i had stumbled on. Now tho, i have moved on long time ago, a problem cant take 3 years to fix ^^ I think its a warning-sign on how active this repo is :D

All good whishes from me tho! take care

[akrabat]

a problem cant take 3 years to fix

I agree. Catching Covid back in 2021 has proven to be challenging for some of us and the team is very small. No excuses, it's just where it is at.

[deployHuman]

Putting no blame on you! Remember its still open source. And we recently saw what a difficult position it is to be a owner of a repo from that whole "XZ-trust-attack" news hope you and everyone fully recover and take care! Much love from Sweden /G

[akrabat]

Fixed in #186.