CSRF Token

Upon login, issue the user a CSRF token (in their session). This token should be provided when completing sensitive actions (e.g. deleting companies/clients, changing their password, etc.)

Ref: https://cheatsheetseries.owasp.org/cheatsheets/Cross-Site_Request_Forgery_Prevention_Cheat_Sheet.html#synchronizer-token-pattern

settings-user.php

@@ -21,6 +21,7 @@ $sql_recent_logs = mysqli_query($mysqli,"SELECT * FROM logs
       <div class="card-body">
 
         <form action="post.php" method="post" enctype="multipart/form-data" autocomplete="off">
+          <input type="hidden" name="csrf_token" value="<?php echo $_SESSION['csrf_token'] ?>">
           <input type="hidden" name="user_id" value="<?php echo $session_user_id; ?>">
           <input type="hidden" name="existing_file_name" value="<?php echo $session_avatar; ?>">