Lucas Stephanou wrote: > I think that security options must be on be default, educate developers > is lovely but when creating web applications isn't right place to do that. > So I do vote to both protection on and if someone want to disable( > knowing what he was doing) do it explicit. > The name for options are ok.
There is no default. When you create an application, you must provide those 2 options. Fabien > > On Mon, Mar 31, 2008 at 10:11 AM, Fabien POTENCIER > <[EMAIL PROTECTED] > <mailto:[EMAIL PROTECTED]>> wrote: > > > I will post a blog post about security when we will release the beta3. > > Short story: > > People need to be aware of what kind of things are done automatically > for them. If not, they won't understand the principles behind the CSRF > protection and then, they won't understand why you can't put a form with > CSRF protection in the cache ;) The same goes for CSS protection (output > escaping). > > In beta3, the generate:app task will have new mandatory option(s) to > configure the security level of the new application. It will force users > to think about the security and what to enable/disable by default. > > And here is a question for all of you. How to name this/these new > options. Here is my proposition: > > 2 options, one for XSS and one for CSRF: > > --xss-protection=on / off / both > > --csrf-protection=on / off > > Let's start the discussion ;) > > Fabien > > -- > Fabien Potencier > Sensio CEO - symfony lead developer > sensiolabs.com <http://sensiolabs.com> | symfony-project.com > <http://symfony-project.com> | aide-de-camp.org > <http://aide-de-camp.org> > Tél: +33 1 40 99 80 80 > > > Ian P. Christian wrote: > > Not that I'm overly bothered.... but... > > > > Why has CSRF been disabled by default? > > > > Kind Regards, > > > > Ian > > > > > > > > > > > > > > > > -- > Lucas Stephanou > > --~--~---------~--~----~------------~-------~--~----~ You received this message because you are subscribed to the Google Groups "symfony developers" group. To post to this group, send email to [email protected] To unsubscribe from this group, send email to [EMAIL PROTECTED] For more options, visit this group at http://groups.google.com/group/symfony-devs?hl=en -~----------~----~----~----~------~----~------~--~---
