I will post a blog post about security when we will release the beta3. Short story:
People need to be aware of what kind of things are done automatically for them. If not, they won't understand the principles behind the CSRF protection and then, they won't understand why you can't put a form with CSRF protection in the cache ;) The same goes for CSS protection (output escaping). In beta3, the generate:app task will have new mandatory option(s) to configure the security level of the new application. It will force users to think about the security and what to enable/disable by default. And here is a question for all of you. How to name this/these new options. Here is my proposition: 2 options, one for XSS and one for CSRF: --xss-protection=on / off / both --csrf-protection=on / off Let's start the discussion ;) Fabien -- Fabien Potencier Sensio CEO - symfony lead developer sensiolabs.com | symfony-project.com | aide-de-camp.org Tél: +33 1 40 99 80 80 Ian P. Christian wrote: > Not that I'm overly bothered.... but... > > Why has CSRF been disabled by default? > > Kind Regards, > > Ian > > > > > --~--~---------~--~----~------------~-------~--~----~ You received this message because you are subscribed to the Google Groups "symfony developers" group. To post to this group, send email to [email protected] To unsubscribe from this group, send email to [EMAIL PROTECTED] For more options, visit this group at http://groups.google.com/group/symfony-devs?hl=en -~----------~----~----~----~------~----~------~--~---
