tempestphp · innocenzi · Oct 11, 2025 · Oct 6, 2025 · Oct 6, 2025 · Oct 6, 2025
diff --git a/packages/http/src/Session/VerifyCsrfMiddleware.php b/packages/http/src/Session/VerifyCsrfMiddleware.php
@@ -7,6 +7,7 @@
 use Tempest\Clock\Clock;
 use Tempest\Core\AppConfig;
 use Tempest\Core\Priority;
+use Tempest\Cryptography\Encryption\Encrypter;
 use Tempest\Http\Cookie\Cookie;
 use Tempest\Http\Cookie\CookieManager;
 use Tempest\Http\Method;
@@ -29,6 +30,7 @@ public function __construct(
         private SessionConfig $sessionConfig,
         private CookieManager $cookies,
         private Clock $clock,
+        private Encrypter $encrypter,
     ) {}
 
     public function __invoke(Request $request, HttpMiddlewareCallable $next): Response
@@ -67,9 +69,14 @@ private function ensureTokenMatches(Request $request): void
     {
         $tokenFromRequest = $request->get(
             key: Session::CSRF_TOKEN_KEY,
-            default: $request->headers->get(self::CSRF_HEADER_KEY),
         );
 
+        if (! $tokenFromRequest && $request->headers->has(self::CSRF_HEADER_KEY)) {
+            $tokenFromRequest = $this->encrypter->decrypt(
+                urldecode($request->headers->get(self::CSRF_HEADER_KEY)),
+            );
+        }
+
         if (! $tokenFromRequest) {
             throw new CsrfTokenDidNotMatch();
         }

diff --git a/tests/Integration/Http/CsrfTest.php b/tests/Integration/Http/CsrfTest.php
@@ -5,6 +5,7 @@
 use PHPUnit\Framework\Attributes\TestWith;
 use Tempest\Core\AppConfig;
 use Tempest\Core\Environment;
+use Tempest\Cryptography\Encryption\Encrypter;
 use Tempest\Http\Cookie\Cookie;
 use Tempest\Http\GenericRequest;
 use Tempest\Http\Method;
@@ -84,14 +85,19 @@ public function test_matches_from_body(): void
             ->assertOk();
     }
 
-    public function test_matches_from_header(): void
+    public function test_matches_from_header_when_encrypted(): void
     {
         $this->container->get(AppConfig::class)->environment = Environment::PRODUCTION;
-
         $session = $this->container->get(Session::class);
 
+        // Encrypt the token as it would be in a real request
+        $sessionCookieValue = $this->container
+            ->get(Encrypter::class)
+            ->encrypt($session->token)
+            ->serialize();
+
         $this->http
-            ->post('/test', headers: [VerifyCsrfMiddleware::CSRF_HEADER_KEY => $session->token])
+            ->post('/test', headers: [VerifyCsrfMiddleware::CSRF_HEADER_KEY => $sessionCookieValue])
             ->assertOk();
     }