There's a little advice here:
https://stackoverflow.com/questions/40762078/prevent-csrf-attack-in-modx-formit
I couldn't find anything on MODX's defenses against CSRF attacks, but the most recent vulnerability report I could find was from 2014 -- fixed long ago.
There's some good info on token generation here, though I think much of it is overkill for your situation.
I'd do something like this (untested):
Put a hidden input tag in the form.
<input name="CSRF_token" type="hidden" value="[[+CSRF_token]]" />
Then in the preHook:
<?php
if (empty($_SESSION['token'])) {
if (function_exists('mcrypt_create_iv')) {
$_SESSION['token'] = bin2hex(mcrypt_create_iv(32, MCRYPT_DEV_URANDOM));
} else {
$_SESSION['token'] = bin2hex(openssl_random_pseudo_bytes(32));
}
}
if (isset($_POST['yourSubmitVar'] && (string) $_POST['yourSubmitVar'] === 'yourSubmitVarValue' ) {
/* Repost */
$verified = (string) $modx->getOption('CSRF_token', $_POST, null, true) === (string) $_SESSION['token'];
if (! $verified) {
/* (optionally) log it somewhere */
$modx->sendUnauthorizePage();
)
} else {
/* Not a repost */
$modx->setPlaceholder('CSRF_token', $_SESSION['token']);
}
return;
If you don't mind, let me know what you finally use and I'll do a blog post on it.