Is it possible to enable CSRF protection for RESTful method like PUT and DELETE

While danglyuluo is correct, I personally wouldn't use it in an API for 2 reasons:

1. Most API's are designed to be stateless, and using a cookie to store that information doesn't allow it to be stateless.
2. This is the more important one. CSRF stands for Cross-Site Request Forgery and, by their very nature, most API's are called from somewhere other than the main site, like third-party sites, mobile apps, etc. So most API's would fail those checks anyway since they wouldn't know the nonce that our CSRF protection creates.

However, if you're only using the API through AJAX on your own site, you can use get_csrf_token_name() and get_csrf_hash() to insert those into your javascript at runtime. If you do this, you would need to set $config['csrf_regenerate'] = FALSE; because otherwise CSRF tokens are regenerated for every request so your AJAX methods would have invalid hashes.

Support Development •  CodeIgniter 4 Foundations • Practical CodeIgniter 3  • CodeIgniter Tutorials