-
Notifications
You must be signed in to change notification settings - Fork 347
New issue
Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.
By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.
Already on GitHub? Sign in to your account
Add security.csrf_auto_token option to add CSRF token automatically #1974
Conversation
…en() Signed-off-by: Kenji Suzuki <[email protected]>
Add security.csrf_auto_token option to add CSRF token automatically
Thank you for merging. By the way, why the default value for I think the default value is All of them should be |
From a security point of view, you would say the default should be I did a quick history check, it seems it has always been |
Signed-off-by: Kenji Suzuki <[email protected]> See fuel#1974 (comment)
Yeah, I agree with you! I sent PRs to fix: |
Signed-off-by: Kenji Suzuki <[email protected]> See fuel#1974
Do we add ignore URI list like this? |
Would probably do it, but not very elegant. Thinking about it, I think when you enable automatic checking, you intend to check on every POST, and you as a developer should make sure every POST contains a token. If you don't intend to do that, don't enable auto checking, but check manually, for example in the |
If we have a site which has web apis, we may not use tokens on the apis. I don't think manual checking is safer. Because if a developer forgets to implements checking, the site would be vulnerable. If we have a lot of forms or important actions, it costs much to confirm every important action has checking logic. In my opinion, we should enable automatic checking always. |
I think there two different conditions:
Currently, we don't do neither by default because of BC reasons. In the app, we can do 1. by enabling Perhaps we should introduce two new config keys, something like This way you can define the behavior for both cases independently, and have BC covered. |
How do we know whether REST posts or not? |
is_ajax() ? |
|
I know that, but I don't think we can come up with something that fits all possible scenario's. If you have a specific environment, you need specific checks. So I'm looking for something that follows the 80/20 rule, and covers the majority of the use-cases. |
I opened a issue for this new functionality: #1981 |
This PR adds
security.csrf_auto_token
.If you set it true, CSRF token is added automatically when you call
Form::open()
.