CodeIgniter use CSRF protection only in some pages

Now the CI3 have this feature, we can exclude the URIs in the confighttp://www.codeigniter.com/userguide3/libraries/security.html?highlight=csrf#cross-site-request-forgery-csrf

$config['csrf_exclude_uris'] = array('api/person/add');$config['csrf_exclude_uris'] = array(    'api/record/[0-9]+',    'api/title/[a-z]+');

You can do this by editing the config.php file

 $config['csrf_protection'] = FALSE;

Step 1: create an array of pages that you want to protect

eg. $csrf_pages = array('login','test');

Step2: check if there is any request for the protected page then set it to TRUE;

if (isset($_SERVER["REQUEST_URI"])) {    foreach ($csrf_pages as $csrf_page){        if(stripos($_SERVER["REQUEST_URI"],$csrf_page) !== FALSE) {            $config['csrf_protection'] = TRUE;            break;        }    }}

Step 3: add this to your views

<input type="hidden" name="<?php echo $this->security->get_csrf_token_name(); ?>" value="<?php echo $this->security->get_csrf_hash();?>" />

Or simply use the form_open() function to add the hidden CSRF token field automatically.

For a more safer approach, you should switch on CSRF protection at all times and only exempt some pages you wish in an array in the config.php file.

$config['csrf_protection'] = TRUE;

Then set an array of links you wish to exempt from CSRF protection:

$csrf_off = array(    "/api",    "/api/example",    "/somelink/something/example"    );

Now turn those array links CSRF protection off.

if (isset($_SERVER["REQUEST_URI"])) {    if (in_array($_SERVER["REQUEST_URI"],$csrf_off)) {        $config['csrf_protection'] = FALSE;    }}