Skip to content

Commit 1b0ff1e

Browse files
javiereguiluzjaviereguiluz
committed
Minor reword
1 parent 39e014b commit 1b0ff1e

File tree

1 file changed

+13
-11
lines changed

1 file changed

+13
-11
lines changed

security/csrf.rst

Lines changed: 13 additions & 11 deletions
Original file line numberDiff line numberDiff line change
@@ -5,17 +5,6 @@ CSRF, or `Cross-site request forgery`_, is a type of attack where a malicious ac
55
tricks a user into performing actions on a web application without their knowledge
66
or consent.
77

8-
.. note::
9-
10-
According to `OWASP best practices`_, CSRF protection is only required for
11-
**state-changing operations**. Do not use GET requests for state-changing
12-
operations, as recommended by the HTTP specification. CSRF tokens must not be
13-
transmitted in GET request parameters, as they can leak through browser history,
14-
log files, network utilities, and Referer headers.
15-
16-
If you need to disable CSRF protection for specific forms (for example, forms
17-
that only perform read operations), see :ref:`form-csrf-customization`.
18-
198
The attack is based on the trust that a web application has in a user's browser
209
(e.g. on session cookies). Here's a real example of a CSRF attack: a malicious
2110
actor could create the following website:
@@ -121,6 +110,17 @@ CSRF Protection in Symfony Forms
121110
checks them automatically for you. So, when using Symfony Forms, you don't have
122111
to do anything to be protected against CSRF attacks.
123112

113+
.. note::
114+
115+
According to `OWASP best practices`_, CSRF protection is only required for
116+
**state-changing operations**, which must not use ``GET`` requests (as per the
117+
HTTP specification). Moreover, including CSRF tokens in ``GET`` request
118+
parameters can cause them to leak through browser history, log files, network
119+
utilities, and Referer headers.
120+
121+
If one of your forms uses GET (for example, a read-only search form), you
122+
can :ref:`configure the form to disable CSRF protection <form-csrf-configuration>`.
123+
124124
.. _form-csrf-customization:
125125

126126
By default Symfony adds the CSRF token in a hidden field called ``_token``, but
@@ -170,6 +170,8 @@ Globally, you can configure it under the ``framework.form`` option:
170170
;
171171
};
172172
173+
.. _form-csrf-configuration:
174+
173175
On a form-by-form basis, you can configure the CSRF protection in the ``setDefaults()``
174176
method of each form::
175177

0 commit comments

Comments
 (0)