70 lines
1.7 KiB
Plaintext
70 lines
1.7 KiB
Plaintext
include::../description.adoc[]
|
|
|
|
include::../ask-yourself.adoc[]
|
|
|
|
include::../recommended.adoc[]
|
|
|
|
== Sensitive Code Example
|
|
|
|
For https://laravel.com/docs/8.x/csrf#csrf-excluding-uris[Laravel VerifyCsrfToken middleware]
|
|
|
|
|
|
----
|
|
use Illuminate\Foundation\Http\Middleware\VerifyCsrfToken as Middleware;
|
|
|
|
class VerifyCsrfToken extends Middleware
|
|
{
|
|
protected $except = [
|
|
'api/*'
|
|
]; // Sensitive; disable CSRF protection for a list of routes
|
|
}
|
|
----
|
|
|
|
For https://symfony.com/doc/current/security/csrf.html#csrf-protection-in-symfony-forms[Symfony Forms]
|
|
|
|
|
|
----
|
|
use Symfony\Bundle\FrameworkBundle\Controller\AbstractController;
|
|
|
|
class Controller extends AbstractController {
|
|
|
|
public function action() {
|
|
$this->createForm('', null, [
|
|
'csrf_protection' => false, // Sensitive; disable CSRF protection for a single form
|
|
]);
|
|
}
|
|
}
|
|
----
|
|
|
|
== Compliant Solution
|
|
|
|
For https://laravel.com/docs/8.x/csrf#csrf-excluding-uris[Laravel VerifyCsrfToken middleware]
|
|
|
|
|
|
----
|
|
use Illuminate\Foundation\Http\Middleware\VerifyCsrfToken as Middleware;
|
|
|
|
class VerifyCsrfToken extends Middleware
|
|
{
|
|
protected $except = []; // Compliant
|
|
}
|
|
----
|
|
Remember to add https://laravel.com/docs/8.x/blade#csrf-field[@csrf] blade directive to the relevant forms when removing an element from $except. Otherwise the form submission will stop working.
|
|
|
|
|
|
For https://symfony.com/doc/current/security/csrf.html#csrf-protection-in-symfony-forms[Symfony Forms]
|
|
|
|
|
|
----
|
|
use Symfony\Bundle\FrameworkBundle\Controller\AbstractController;
|
|
|
|
class Controller extends AbstractController {
|
|
|
|
public function action() {
|
|
$this->createForm('', null, []); // Compliant; CSRF protection is enabled by default
|
|
}
|
|
}
|
|
----
|
|
|
|
include::../see.adoc[]
|