Security

enableCsrf(cSecret)

Enable CSRF protection. Must be called before defining routes.

enableCsrf("my-csrf-secret")

$bolt.csrfToken()

Generate a session-bound CSRF token (format: session_id.timestamp.hmac). Also sets a session cookie if the client doesn’t already have one. The cookie is named BOLTSESSION over plain HTTP, or __Host-BOLTSESSION with the Secure flag over TLS (or when forceSecureCookies() is called).

token = $bolt.csrfToken()
# Include in form: <input type="hidden" name="_csrf" value="{{ token }}">

$bolt.verifyCsrf(cToken)

Verify CSRF token. Checks session binding, HMAC signature, and 1-hour expiry. Returns 1 if valid, 0 otherwise.

if $bolt.verifyCsrf($bolt.formField("_csrf"))
    # Valid request
ok

$bolt.csrfAutoVerify()

Enable automatic CSRF token verification for state-changing requests (POST, PUT, DELETE, PATCH). Requires enableCsrf() to be called first. When enabled, Bolt checks for a valid CSRF token in the X-CSRF-Token header, _csrf form field, or _csrf query parameter. Requests without a valid token receive a 403 response.

enableCsrf("my-csrf-secret")
csrfAutoVerify()

$bolt.sha256(cData)

Generate SHA-256 hash.

hash = $bolt.sha256("password123")

ipWhitelist(cIp)

Add IP or CIDR to whitelist.

ipWhitelist("192.168.1.100")
ipWhitelist("10.0.0.0/8")

ipBlacklist(cIp)

Add IP or CIDR to blacklist.

ipBlacklist("1.2.3.4")

proxyWhitelist(cIp)

Add IP to the proxy whitelist.

proxyWhitelist("10.0.0.1")