CSRF protection - symfony developers

Message from discussion CSRF protection

Fabien POTENCIER

More options Mar 31 2008, 12:21 pm

From: Fabien POTENCIER <fabien.potenc...@symfony-project.com>

Date: Mon, 31 Mar 2008 18:21:47 +0200

Local: Mon, Mar 31 2008 12:21 pm

Subject: Re: [symfony-devs] Re: CSRF protection

  Reply to author
  |
  Forward
  | Print
  | View thread
  | Show original
  | Report this message
  | Find messages by this author
  

Francois Zaninotto wrote:
> Given the 'convention over configuration' mantra, I'm not sure forcing
> two config options at creation time is a good idea either.

> Documentationwise, that would imply explaining the security caveats of
> every web app even in a novice symfony tutorial. There is a time to do
> this, in the learning process of professional application development,
> but it is probably not when you give the framework a try.

You're right. After some thought, I think that when you create a new
application, it's not the time to force the user to learn about XSS or
CSRF. It's too late.

Fabien

> So I'm more in favor of an "unsecure" default, but with a new doc
> chapter explaining all the security risks and all the bad things that
> could happen, unless... You change two settings in the settings.yml.

> My 2c,

> François

> 2008/3/31, Fabien POTENCIER <fabien.potenc...@symfony-project.com
> <mailto:fabien.potenc...@symfony-project.com>>:

> Lucas Stephanou wrote:
> > I think that security options must be on be default, educate
> developers
> > is lovely but when creating web applications isn't right place to
> do that.
> > So I do vote to both protection on and if someone want to disable(
> > knowing what he was doing) do it explicit.
> > The name for options are ok.

> There is no default. When you create an application, you must provide
> those 2 options.

> Fabien

> > On Mon, Mar 31, 2008 at 10:11 AM, Fabien POTENCIER
> > <fabien.potenc...@symfony-project.com
> <mailto:fabien.potenc...@symfony-project.com>

> > <mailto:fabien.potenc...@symfony-project.com
> <mailto:fabien.potenc...@symfony-project.com>>> wrote:

> > I will post a blog post about security when we will release
> the beta3.

> > Short story:

> > People need to be aware of what kind of things are done
> automatically
> > for them. If not, they won't understand the principles behind
> the CSRF
> > protection and then, they won't understand why you can't put
> a form with
> > CSRF protection in the cache ;) The same goes for CSS
> protection (output
> > escaping).

> > In beta3, the generate:app task will have new mandatory
> option(s) to
> > configure the security level of the new application. It will
> force users
> > to think about the security and what to enable/disable by
> default.

> > And here is a question for all of you. How to name this/these new
> > options. Here is my proposition:

> > 2 options, one for XSS and one for CSRF:

> > --xss-protection=on / off / both

> > --csrf-protection=on / off

> > Let's start the discussion ;)

> > Fabien

> > --
> > Fabien Potencier
> > Sensio CEO - symfony lead developer

> > sensiolabs.com <http://sensiolabs.com>
> <http://sensiolabs.com> | symfony-project.com
> <http://symfony-project.com>
> > <http://symfony-project.com> | aide-de-camp.org
> <http://aide-de-camp.org>
> > <http://aide-de-camp.org>

> > Tél: +33 1 40 99 80 80

> > Ian P. Christian wrote:
> > > Not that I'm overly bothered.... but...

> > > Why has CSRF been disabled by default?

> > > Kind Regards,

> > > Ian

> > --
> > Lucas Stephanou

Reply to author Forward