Help
I think that in 2.0 we should enable CSRF token and cookie validation by default, so that the framework is more secure out of the box. We should also make it easier to turn off CSRF validation for certain controllers and actions.
Page 1 of 1
CSRF / cookie protection turned on by default
#2
- Standard Member
-
- Group: Members
- Posts: 215
- Joined: 21-October 10
- Location:Tallinn, Estonia
Posted 17 April 2012 - 09:36 PM
phpnode, on 31 March 2012 - 03:05 PM, said:
I think that in 2.0 we should enable CSRF token and cookie validation by default, so that the framework is more secure out of the box. ...
I think it should be like it is, not every application needs this extra security.
phpnode, on 31 March 2012 - 03:05 PM, said:
... We should also make it easier to turn off CSRF validation for certain controllers and actions.
I really like this idea! Turning CSRF validation on or off based on what controller or action you use would be neat.
For example, you have CSRF validation turned on for controllers that are used by users, but turned off for Soap requests
by remote applications.
#3
- Standard Member
-
- Group: Members
- Posts: 141
- Joined: 18-April 11
Posted 18 April 2012 - 02:28 AM
There is absolutely no reason to allow csrf on any site, its better to be secure by default
Share this topic:
Page 1 of 1