I think that security options must be on be default, educate developers is lovely but when creating web applications isn't right place to do that. So I do vote to both protection on and if someone want to disable( knowing what he was doing) do it explicit. The name for options are ok.
On Mon, Mar 31, 2008 at 10:11 AM, Fabien POTENCIER < [EMAIL PROTECTED]> wrote: > > I will post a blog post about security when we will release the beta3. > > Short story: > > People need to be aware of what kind of things are done automatically > for them. If not, they won't understand the principles behind the CSRF > protection and then, they won't understand why you can't put a form with > CSRF protection in the cache ;) The same goes for CSS protection (output > escaping). > > In beta3, the generate:app task will have new mandatory option(s) to > configure the security level of the new application. It will force users > to think about the security and what to enable/disable by default. > > And here is a question for all of you. How to name this/these new > options. Here is my proposition: > > 2 options, one for XSS and one for CSRF: > > --xss-protection=on / off / both > > --csrf-protection=on / off > > Let's start the discussion ;) > > Fabien > > -- > Fabien Potencier > Sensio CEO - symfony lead developer > sensiolabs.com | symfony-project.com | aide-de-camp.org > Tél: +33 1 40 99 80 80 > > > Ian P. Christian wrote: > > Not that I'm overly bothered.... but... > > > > Why has CSRF been disabled by default? > > > > Kind Regards, > > > > Ian > > > > > > > > > > > > > > -- Lucas Stephanou --~--~---------~--~----~------------~-------~--~----~ You received this message because you are subscribed to the Google Groups "symfony developers" group. To post to this group, send email to [email protected] To unsubscribe from this group, send email to [EMAIL PROTECTED] For more options, visit this group at http://groups.google.com/group/symfony-devs?hl=en -~----------~----~----~----~------~----~------~--~---
