What is CSRF protection in CodeIgniter 4?

Answer

CodeIgniter 4 provides built-in CSRF protection via the Security filter. Enable in app/Config/Security.php: $csrfProtection = "cookie" (or "session"). Apply the Security filter globally in app/Config/Filters.php or per route. In HTML forms, include the CSRF field: <?= csrf_field() ?> — generates a hidden input with the token. Or manually: <input type="hidden" name="<?= csrf_token() ?>" value="<?= csrf_hash() ?>">. For AJAX requests, include the token in headers or request body. If validation fails, a 403 response is returned. Exclude specific routes from CSRF: add them to the $except array in the Security configuration (useful for webhook endpoints that receive external POST requests).