---

I use csrf tokens with post forms but they require restrictive xss coding to work.
function code:


$salt = bin2hex(random_bytes(32));
$key = bin2hex(hash_hkdf('sha3-512', $secret, 0, $info."\0".$ttl, $salt));
$token = join('-', [$salt, $key, $ttl]);
return $token;


my original token lacked the joining method, which was corrected by a security expert.
the secret is stored as a session variable for reconstruction and validation of the token.
I also implement random names and values for form input controls including submit buttons.

rate limiting and load balancing is critical on the server.
a good host will do this automatically.