How does it categorize the severity of security issues?

Issues are classified as Critical (e.g., state change via GET), Major (e.g., missing SameSite attributes), or Minor (e.g., per-session rather than per-request tokens).

Does this skill help with API security?

Absolutely. It checks for missing X-Requested-With or custom CSRF headers in fetch/XHR calls and identifies permissive CORS configurations that could lead to CSRF.

What specific CSRF vulnerabilities does this skill detect?

It detects missing tokens in HTML forms, state-changing GET routes, unvalidated tokens on the server-side, insecure AJAX/API requests, and missing SameSite cookie attributes.

Can it provide fixes for specific PHP frameworks?

Yes, it includes best practice remediation patterns for popular frameworks like Laravel (Blade @csrf) and Symfony (Twig tokens), as well as manual PHP implementations.

PHP CSRF Security Checker

Name: PHP CSRF Security Checker
Author: dykyi-roman

bydykyi-roman

•

Security & Testing

Audits PHP codebases to identify and remediate Cross-Site Request Forgery (CSRF) vulnerabilities and insecure session patterns.

The PHP CSRF Security Checker is a specialized diagnostic skill for Claude Code designed to harden web applications against Cross-Site Request Forgery (CWE-352). It systematically analyzes PHP files to detect critical security gaps such as forms missing protection tokens, state-changing operations performed via GET requests, and insufficient server-side validation logic. Beyond simple detection, it provides actionable remediation patterns for modern frameworks like Laravel and Symfony, as well as native PHP implementations, ensuring that session management and cookie attributes like SameSite are configured according to industry best practices.

Key Features

0145 GitHub stars

02Identifies dangerous state-altering logic executed through GET requests

03Provides framework-specific fixes for Laravel, Symfony, and native PHP

04Analyzes AJAX and API endpoints for missing custom security headers

05Audits cookie configurations for SameSite, Secure, and HttpOnly attributes

06Detects forms and POST routes missing CSRF protection tokens

Use Cases

01Performing automated security audits during the development lifecycle

02Identifying legacy code paths that lack modern session protection

03Reviewing pull requests for OWASP Top 10 security compliance

What are Skills?·How to Install

Install with 🐟 Skill.Fish

npx skillfish add dykyi-roman/awesome-claude-code check-csrf-protection

For use in Claude.ai and ChatGPT

Download Skill