Disable http_method_override by default #45278
Labels
Comments
|
Make sense after symfony/recipes#892 |
|
That makes sense to me and we should probably have done it earlier. |
Sign up for free
to join this conversation on GitHub.
Already have an account?
Sign in to comment
Description
It bugs me that I have to disable http_method_override in every symfony project because it defaults to true: https://symfony.com/doc/current/reference/configuration/framework.html#http-method-override
The use-case of this feature is clear: To emulate e.g. PUT or DELETE requests using html forms. But I think the need for this is very uncommon and not modern. Furthermore enabling it opens security gateway if not used with CSRF protection.
So I'm proposing to switch the default value to false in the next major symfony version. For this, we need to deprecate relying on the default value. This should not affect many people as the default recipes already disable this config anyway, see https://github.com/symfony/recipes/blob/master/symfony/framework-bundle/5.4/config/packages/framework.yaml#L5
The text was updated successfully, but these errors were encountered: