QuickAnswer
by

Disabling CSRF in CakePHP4 for specific controllers and actions

Disabling CSRF in CakePHP4 for specific controllers and actions

If you want to disable CSRF check for a specific controller or action in CakePHP 4.1, it would be as follows
As of PHP 4.1, the CsrfProtectionMiddleware description has been moved to src/Application.php. In PHP 4.1, CsrfProtectionMiddleware has been moved to src/Application.php.
In PHP 4.1, the CsrfProtectionMiddleware description has been moved to src/Application.php. Therefore, you only need to change src/Application.php.

Original

src/Application.php

/**
 * Setup the middleware queue your application will use.
 *
 * @param \Cake\Http\MiddlewareQueue $middlewareQueue The middleware queue to setup.
 * @return \Cake\Http\MiddlewareQueue The updated middleware queue.
 */
public function middleware(MiddlewareQueue $middlewareQueue): MiddlewareQueue
{
    $middlewareQueue
        // Catch any exceptions in the lower layers,
        // and make an error page/response
        ->add(new ErrorHandlerMiddleware(Configure::read('Error')))

        // Handle plugin/theme assets like CakePHP normally does.
        ->add(new AssetMiddleware([
            'cacheTime' => Configure::read('Asset.cacheTime'),
        ]))

        // Add routing middleware.
        // If you have a large number of routes connected, turning on routes
        // caching in production could improve performance. For that when
        // creating the middleware instance specify the cache config name by
        // using it's second constructor argument:
        // `new RoutingMiddleware($this, '_cake_routes_')`
        ->add(new RoutingMiddleware($this))

        // Parse various types of encoded request bodies so that they are
        // available as array through $request->getData()
        // https://book.cakephp.org/4/en/controllers/middleware.html#body-parser-middleware
        ->add(new BodyParserMiddleware())

        // Cross Site Request Forgery (CSRF) Protection Middleware
        // https://book.cakephp.org/4/en/controllers/middleware.html#cross-site-request-forgery-csrf-middleware
        ->add(new CsrfProtectionMiddleware([
            'httponly' => true,
        ]));

    return $middlewareQueue;
}

After change

src/Application.php

/**
 * Setup the middleware queue your application will use.
 *
 * @param \Cake\Http\MiddlewareQueue $middlewareQueue The middleware queue to setup.
 * @return \Cake\Http\MiddlewareQueue The updated middleware queue.
 */
public function middleware(MiddlewareQueue $middlewareQueue): MiddlewareQueue
{

    $csrf = new CsrfProtectionMiddleware(['httponly'=>true]);
    $csrf->skipCheckCallback(function($request) {            // Token check will be skipped when callback returns `true`.
        $controller = $request->getParam('controller');
        $action = $request->getParam('action');
        if (is_null($controller) || is_null($action)) {
            return false;
        }
        if (strcmp($controller,'Apis') == 0) {    // Skip token check for API URLs.
            return true;
        }
        return false;
    });

    $middlewareQueue
        // Catch any exceptions in the lower layers,
        // and make an error page/response
        ->add(new ErrorHandlerMiddleware(Configure::read('Error')))

        // Handle plugin/theme assets like CakePHP normally does.
        ->add(new AssetMiddleware([
            'cacheTime' => Configure::read('Asset.cacheTime'),
        ]))

        // Add routing middleware.
        // If you have a large number of routes connected, turning on routes
        // caching in production could improve performance. For that when
        // creating the middleware instance specify the cache config name by
        // using it's second constructor argument:
        // `new RoutingMiddleware($this, '_cake_routes_')`
        ->add(new RoutingMiddleware($this))

        // Parse various types of encoded request bodies so that they are
        // available as array through $request->getData()
        // https://book.cakephp.org/4/en/controllers/middleware.html#body-parser-middleware
        ->add(new BodyParserMiddleware())

        // Cross Site Request Forgery (CSRF) Protection Middleware
        // https://book.cakephp.org/4/en/controllers/middleware.html#cross-site-request-forgery-csrf-middleware
        //->add(new CsrfProtectionMiddleware([
        //    'httponly' => true,
        //]));
        ->add($csrf);

    return $middlewareQueue;
}

In this example, no CSRF check is performed in the case of ApisController.

CONTENTS
Web Browser