Is it possible to generate a CSRF-token (random string) to use with a PHP script?

I’m trying to secure a contact form by generating a CSRF token that can be handed off to the PHP script that emails the form content.

My first thought was to include a few lines of PHP on the contact page that would create and store a random string in the php-variable $token, but I never got Hugo to output the contact page as a .php file. (I tried defining a custom outputFormats and mediaTypes in the config and adding a single.php file in /layouts/_default/, without any luck. Hugo refused to make the php-file.)

The PHP-script that receives the form data works flawlessly. It would be neat if there was a way to avoid including PHP in my Hugo templates in the first place by having Hugo generate a token that could be handed of to the PHP script somehow.

Any suggestions are welcome! Having searched trough most of the existing material online on how to implement a contact page in Hugo, there seems to be a real need to find a best-practice to accomplish this in a secure way.

The form works in it’s current form, but is not in any way secure. Have a look at it here: https://webdev.ramydent.no/kontakt/

Having thought a bit about it, one solution could be to pre-generate a bunch of random strings that are put in a separate file in the page bundle, but I can’t think of a way to make Hugo choose a different line from the file on each page load. Also, I’m not sure if it would be possible to hide the content of this file from regular visitors without making it inaccessible to Hugo as well.

This pre-generated list could be renewed every time I build the site, to ensure a fresh supply of random strings.

It would probably not be as secure as a real CSRF-solution, but at least it’s something.

EDIT: And if it simply is not possible to achieve this with Hugo only, it would be nice to find a way for Hugo to output .php-files :laughing:

EDIT2: I created a separate topic regarding my attempts to include PHP on the contact page.

Again: Hugo is a static website creator. Static means, you can’t change things for different page loads, different users, different times. Having said that: Javascript is your friend. The question is, how you have the receiving PHP script parsing the CSRF and understanding it as valid.

Netlify has a form solution. Other hosters too. It’s probably a better solution to let the hoster of your static website take care of the security aspect of forms.

If you are trying to host on a PHP space: Why? Would you buy a Mercedes car to listen to your mix-tape or would you buy a tape recorder?

Other than that: let Javascript create your token and find a way to understand on the backend side.

It was not my choice, the customer already owned an account at a hosting provider and wanted to continue using it.

This is actually a great idea, although it could be tricky to hand over the token to the PHP script… I’ll just have to research this a bit more.

EDIT: One solution could of course be to make the javascript output the token directly into the html of the contact form, and then send it to the php script together with the rest of the content. Although I would prefer that this token was generated server-side with PHP for those not using javascript.