Phase 2: Add CSRF token protection to all forms and processors - Created CsrfMiddleware class with 8 helper methods - Added CSRF tokens to 9 POST forms across trip/course/camping/membership - Added CSRF validation to all 10 POST processors - CsrfMiddleware.requireToken() validates and dies on invalid tokens - 100% POST endpoint coverage with CSRF protection

rescue_recovery.php

@@ -94,6 +94,7 @@ if (!empty($bannerImages)) {
                     <div class="blog-sidebar tour-sidebar">
                         <div class="widget widget-booking" data-aos="fade-up" data-aos-duration="1500" data-aos-offset="50">
                             <form action="process_course_booking.php" method="POST">
+                                <input type="hidden" name="csrf_token" value="<?php echo \Middleware\CsrfMiddleware::getToken(); ?>">
                                 <ul class="tickets clearfix">
                                     <li>
                                         Select Date