Skip to content

Commit 39e014b

Browse files
javiereguiluzjaviereguiluz
committed
minor #21638 [Form] Enhance CSRF documentation with OWASP best practices and guidelines (Spomky)
This PR was submitted for the 7.4 branch but it was merged into the 6.4 branch instead. Discussion ---------- [Form] Enhance CSRF documentation with OWASP best practices and guidelines ping `@javiereguiluz` As you mentioned, Symfony Forms add CSRF tokens by default, including for forms using the GET method. This change clarifies that this practice is not recommended and points users to the section explaining how to disable CSRF protection. Commits ------- ec7eb4f Enhance CSRF documentation with OWASP best practices and guidelines
2 parents b5babf1 + ec7eb4f commit 39e014b

File tree

1 file changed

+12
-0
lines changed

1 file changed

+12
-0
lines changed

security/csrf.rst

Lines changed: 12 additions & 0 deletions
Original file line numberDiff line numberDiff line change
@@ -5,6 +5,17 @@ CSRF, or `Cross-site request forgery`_, is a type of attack where a malicious ac
55
tricks a user into performing actions on a web application without their knowledge
66
or consent.
77

8+
.. note::
9+
10+
According to `OWASP best practices`_, CSRF protection is only required for
11+
**state-changing operations**. Do not use GET requests for state-changing
12+
operations, as recommended by the HTTP specification. CSRF tokens must not be
13+
transmitted in GET request parameters, as they can leak through browser history,
14+
log files, network utilities, and Referer headers.
15+
16+
If you need to disable CSRF protection for specific forms (for example, forms
17+
that only perform read operations), see :ref:`form-csrf-customization`.
18+
819
The attack is based on the trust that a web application has in a user's browser
920
(e.g. on session cookies). Here's a real example of a CSRF attack: a malicious
1021
actor could create the following website:
@@ -255,5 +266,6 @@ attacker from guessing the CSRF tokens, a random mask is prepended to the token
255266
and used to scramble it.
256267

257268
.. _`Cross-site request forgery`: https://en.wikipedia.org/wiki/Cross-site_request_forgery
269+
.. _`OWASP best practices`: https://cheatsheetseries.owasp.org/cheatsheets/Cross-Site_Request_Forgery_Prevention_Cheat_Sheet.html
258270
.. _`BREACH`: https://en.wikipedia.org/wiki/BREACH
259271
.. _`CRIME`: https://en.wikipedia.org/wiki/CRIME

0 commit comments

Comments
 (0)