Cross-site request forgery (CSRF or XSRF) is a process where a request is made to a site which takes an action when the user did not intend to take that action. This can be achieved in a variety of ways, but in Backdrop it is simple to protect against this type of attack.

The HTTP 1.1 specification makes a clear distinction that POST requests can modify data in the site (section 9.5) while GET requests should not modify data (section 9.3). Modules that modify data should require a POST request (i.e. a form).

Protecting against CSRF in Backdrop

The Backdrop Form API provides protection against CSRF using special tokens in the forms which are added automatically. If your module uses the Form API for all requests that modify data and if you properly follow the Form API documentation then your module is protected from CSRF.

Backdrop recommends against using the $_POST variables directly and creating a form via HTML instead of the Backdrop Form API.

Handling destructive actions with forms

For form actions which modify data (especially destructive modifications like deletion) it is recommended to add a confirmation form via confirm_form() for each of your menu callbacks. Backdrop does most of the work for you. See for example:


Alternatively, you can use backdrop_get_token() and backdrop_valid_token() to generate a token that can be used with regular links. However, this is generally discouraged, and should never be used when the link's resulting action would modify data. For an example usage of drupal_get_token, see:

Useful link:

Wikipedia description of CSRF