Add CSRF-Tokens for Station and User handling

application/controllers/Qso.php

@@ -217,6 +217,14 @@ class QSO extends CI_Controller {
 	 * Returns JSON
 	 */
 	public function saveqso() {
+		// CSRF mitigation: this endpoint is AJAX-only; reject plain form submissions
+		if ($this->input->server('HTTP_X_REQUESTED_WITH') !== 'XMLHttpRequest') {
+			$this->output->set_status_header(403)
+			             ->set_content_type('application/json')
+			             ->set_output(json_encode(['error' => 'Forbidden']));
+			return;
+		}
+
 		$this->load->model('logbook_model');
 
 		$qso_data = [
@@ -563,7 +571,20 @@ class QSO extends CI_Controller {
 	}
 
 	/* Delete QSO */
-	function delete($id) {
+	function delete() {
+		// CSRF mitigation: reject non-POST requests
+		if ($this->input->method() !== 'post') {
+			$this->session->set_flashdata('error', __("Invalid request method"));
+			redirect('dashboard');
+			return;
+		}
+
+		$id = $this->input->post('id', TRUE);
+		if (empty($id)) {
+			redirect('dashboard');
+			return;
+		}
+
 		$this->load->model('logbook_model');
 
 		if ($this->logbook_model->check_qso_is_accessible($id)) {

application/controllers/Station.php

@@ -66,10 +66,21 @@ class Station extends CI_Controller
 			$data['oqrs'] = $this->input->post('oqrs');
 			$data['oqrsemail'] = $this->input->post('oqrsemail');
 			$data['oqrstext'] = $this->input->post('oqrstext');
+			$csrf_token = bin2hex(random_bytes(32));
+			$this->session->set_userdata('csrf_station_create', $csrf_token);
+			$data['csrf_token'] = $csrf_token;
 			$this->load->view('interface_assets/header', $data);
 			$this->load->view('station_profile/create', $data);
 			$this->load->view('interface_assets/footer');
 		} else {
+			$submitted = $this->input->post('csrf_token', TRUE);
+			$stored    = $this->session->userdata('csrf_station_create');
+			if (empty($submitted) || empty($stored) || !hash_equals($stored, $submitted)) {
+				$this->session->set_flashdata('error', __("Invalid security token"));
+				redirect('station/create');
+				return;
+			}
+			$this->session->set_userdata('csrf_station_create', bin2hex(random_bytes(32)));
 			$this->stations->add();
 			redirect('stationsetup');
 		}
@@ -85,10 +96,22 @@ class Station extends CI_Controller
 			$this->form_validation->set_rules('dxcc', 'DXCC', 'required');
 			$this->form_validation->set_rules('gridsquare', 'Locator', 'callback_check_locator');
 			if ($this->form_validation->run() == FALSE) {
+				$csrf_token = bin2hex(random_bytes(32));
+				$this->session->set_userdata('csrf_station_edit', $csrf_token);
+				$data['csrf_token'] = $csrf_token;
 				$this->load->view('interface_assets/header', $data);
-				$this->load->view('station_profile/edit');
+				$this->load->view('station_profile/edit', $data);
 				$this->load->view('interface_assets/footer');
 			} else {
+				$submitted = $this->input->post('csrf_token', TRUE);
+				$stored    = $this->session->userdata('csrf_station_edit');
+				if (empty($submitted) || empty($stored) || !hash_equals($stored, $submitted)) {
+					$this->session->set_flashdata('error', __("Invalid security token"));
+					redirect('station/edit/' . $id);
+					return;
+				}
+				$this->session->set_userdata('csrf_station_edit', bin2hex(random_bytes(32)));
+
 				if ($this->stations->edit()) {
 					$data['notice'] = __("Station Location") . $this->security->xss_clean($this->input->post('station_profile_name', true)) . " Updated";
 				}

application/controllers/User.php

@@ -1088,6 +1088,9 @@ class User extends CI_Controller {
 
 		if ($this->form_validation->run() == FALSE)
 		{
+			$csrf_token = bin2hex(random_bytes(32));
+			$this->session->set_userdata('csrf_user_delete', $csrf_token);
+			$data->csrf_token = $csrf_token;
 
 			$this->load->view('interface_assets/header', $data);
 			$this->load->view('user/delete');
@@ -1095,6 +1098,15 @@ class User extends CI_Controller {
 		}
 		else
 		{
+			$submitted = $this->input->post('csrf_token', TRUE);
+			$stored    = $this->session->userdata('csrf_user_delete');
+			if (empty($submitted) || empty($stored) || !hash_equals($stored, $submitted)) {
+				$this->session->set_flashdata('error', __("Invalid security token"));
+				redirect('user');
+				return;
+			}
+			$this->session->set_userdata('csrf_user_delete', bin2hex(random_bytes(32)));
+
 			if($this->user_model->delete($data->user_id))
 			{
 				$this->session->set_flashdata('notice', __("User deleted"));

application/views/station_profile/create.php

@@ -43,6 +43,7 @@ if ($dxcc_list->result() > 0) {
 	<?php } ?>
 
 	<form method="post" action="<?php echo site_url('station/create'); ?>" name="create_profile">
+	<input type="hidden" name="csrf_token" value="<?php echo $csrf_token; ?>">
 
 	<div class="row">
 		<!-- Basic Station Info -->

application/views/station_profile/edit.php

@@ -54,6 +54,7 @@ if ($dxcc_list->result() > 0) {
 	?>
 		<form method="post" action="<?php echo site_url('station/edit/'); ?><?php echo $my_station_profile->station_id; ?>" name="create_profile">
 			<input type="hidden" name="station_id" value="<?php echo $my_station_profile->station_id; ?>">
+			<input type="hidden" name="csrf_token" value="<?php echo $csrf_token; ?>">
 
 	<?php } else {
 		$form_action = __("Create");

application/views/user/delete.php

@@ -11,6 +11,7 @@
 
 	    <form method="post" action="<?php echo site_url('user/delete')."/".$this->uri->segment(3); ?>" name="users">
 	    <input type="hidden" name="id" value="<?php echo $this->uri->segment(3); ?>" />
+	    <input type="hidden" name="csrf_token" value="<?php echo $csrf_token; ?>" />
 			<input class="btn btn-danger" type="submit" value="<?= __("Yes, delete this user"); ?>" /> <a href="<?php echo site_url('user'); ?>" class="btn btn-success"><?= __("No, do not delete this user"); ?></a>
 			</form>
 	  </div>