Fix CSRF token handling: add session to index.php, fix cookie_secure for HTTPS

2026-02-03 20:51:45 +00:00
parent 72c9b4e9b4
commit 165c418c75
4 changed files with 15 additions and 3 deletions
--- a/index.php
+++ b/index.php
@@ -1,5 +1,13 @@
 <?php
 // Enhanced security headers
+// Session for CSRF token
+ini_set('session.cookie_samesite', 'Lax');
+ini_set('session.cookie_httponly', '1');
+ini_set('session.cookie_secure', '1');
+session_start();
+if (!isset($_SESSION['csrf_token'])) {
+    $_SESSION['csrf_token'] = bin2hex(random_bytes(32));
+}
 header('X-Content-Type-Options: nosniff');
 header('X-Frame-Options: DENY');
 header('X-XSS-Protection: 1; mode=block');
@@ -1105,7 +1113,8 @@ $twitter_card_image = "https://ukdataservices.co.uk/assets/images/ukds-main-logo
                </div>
                
                <div class="contact-form">
-                    <form action="contact-handler.php" method="POST" class="form" novalidate>
+                    <form action="contact-handler.php" method="POST" class="form" novalidate>
+                        <input type="hidden" name="csrf_token" value="<?php echo htmlspecialchars($_SESSION['csrf_token']); ?>">
                        <div class="form-group">
                            <label for="name">Contact Name *</label>
                            <input type="text" id="name" name="name" required aria-required="true" aria-describedby="name-error" autocomplete="name">