'; } /** * Verify the token on a POST request. Aborts with 403 if invalid. * Call at the very top of every POST handler. */ function csrf_verify(): void { $sent = $_POST['_csrf'] ?? ''; if (!hash_equals(csrf_token(), (string)$sent)) { http_response_code(403); echo 'CSRF token mismatch. Please reload the form and try again.'; exit; } }