Minor verison of CSRF package was tagged adding ability to specify your own failure handler:
use Psr\Http\Message\ResponseFactoryInterface;
use Psr\Http\Message\ServerRequestInterface;
use Psr\Http\Server\RequestHandlerInterface;
use Yiisoft\Csrf\CsrfMiddleware;
/**
* @var Psr\Http\Message\ResponseFactoryInterface $responseFactory
* @var Yiisoft\Csrf\CsrfTokenInterface $csrfToken
*/
$failureHandler = new class ($responseFactory) implements RequestHandlerInterface {
private ResponseFactoryInterface $responseFactory;
public function __construct(ResponseFactoryInterface $responseFactory)
{
$this->responseFactory = $responseFactory;
}
public function handle(ServerRequestInterface $request): ResponseInterface
{
$response = $this->responseFactory->createResponse(400);
$response->getBody()->write('Bad request.');
return $response;
}
};
$middleware = new CsrfMiddleware($responseFactory, $csrfToken, $failureHandler);