Thanks to visit codestin.com
Credit goes to github.com

Skip to content

[RFC][Security] Built-in CSRF protection for firewalls #34004

New issue
New issue
Closed
Closed
[RFC][Security] Built-in CSRF protection for firewalls#34004
Labels
RFCRFC = Request For Comments (proposals about features that you want to be discussed)Security
@ro0NL

Description

@ro0NL
ro0NL
opened on Oct 17, 2019

This is an alternative proposal for #13464 and #33171, based on #33171 (comment) and #33171 (comment)

Long story short:

security:
  firewalls:
    some:
      csrf:
        allow_self: true # default
        allow_origin: [ trusted.com ]
        allow_session: true # default, used if session is available

I think it could deprecate the form integration, and probably the entire storage/token concept currently provided by Security/Csrf.

The new CSRF protection would be based on the Origin/Referer header.

Imagine restoring a prod DB in your local dev application, which contains links to the prod environment (or e.g. hardcoded URLs in code), based on user navigation you can go from dev to prod without really noticing. Mostly im logged in on both environments and both applications look exactly the same. In this case, we've successfully CSRF attacked ourselfves using GET requests 😓

A global firewall protection would solve it out-of-the-box.

Thoughts?

Metadata

Metadata

Assignees

No one assigned

    Labels

    RFCRFC = Request For Comments (proposals about features that you want to be discussed)Security

    Type

    No type

    Projects

    No projects

    Milestone

    No milestone

    Relationships

    None yet

    Development

    No branches or pull requests

    Issue actions