CSRF POST from an external (C++) Application

I have the need to have an application I’m writing in C++ to POST data to a public website, to be inserted into a db. I’m interested in figuring out how to keep “bad Actors” from send data to my site. Everything I have seen about the CSRF token requires that I generate the it from the site server, and usually in connection with a form.

In my app, I want to just send a POST to the site server, but I’m not sure how to use a randomly generated token from one computer and verify it on an other computer. I was also thinking about checking the IP of the $REQUEST, but the App could be moved. So it “might” not be the one IP at any given time. The website is written in straight PHP, not Yii.

Can anyone help with ideas of how I can make sure that the data I’m sending is added and nothing from anybody else?

You need to create an API with authentication mechanism like access tokens. Then in your API endpoints check if the access token is valid before authorizing the request. You can read more in the guide https://www.yiiframework.com/doc/guide/2.0/en/rest-authentication

So this is disconnected session. There is no way Yii app can verify/generate/supply valid CSRF token to a single POST. You may want to set alternative verifications like:

  • implement same hash generator (encrtyp/decrtyp) in both Yii/PHP and C++ apps - might be complex.
  • filter per IP range, if possible
  • use Yii’s API REST authentication options - header bearer token, basic auth etc …
  • is that safe intranet zone ? Perhaps use just configurable static secret key in both apps.