Can we have a compromise here? Leave it unsecure by default but at the end of the output at creation time, if those options weren't set, output a warning and the path to the documentation for more information.
Charley [EMAIL PROTECTED] said on Monday, March 31, 2008: >Given the 'convention over configuration' mantra, I'm not sure forcing two >config options at creation time is a good idea either. > >Documentationwise, that would imply explaining the security caveats of every >web app even in a novice symfony tutorial. There is a time to do this, in >the learning process of professional application development, but it is >probably not when you give the framework a try. > >So I'm more in favor of an "unsecure" default, but with a new doc chapter >explaining all the security risks and all the bad things that could happen, >unless... You change two settings in the settings.yml. > >My 2c, > >François > >2008/3/31, Fabien POTENCIER <[EMAIL PROTECTED]>: >> >> >> Lucas Stephanou wrote: >> > I think that security options must be on be default, educate developers >> > is lovely but when creating web applications isn't right place to do >> that. >> > So I do vote to both protection on and if someone want to disable( >> > knowing what he was doing) do it explicit. >> > The name for options are ok. >> >> >> There is no default. When you create an application, you must provide >> those 2 options. >> >> Fabien >> >> >> > >> > On Mon, Mar 31, 2008 at 10:11 AM, Fabien POTENCIER >> > <[EMAIL PROTECTED] >> >> > <mailto:[EMAIL PROTECTED]>> wrote: >> > >> > >> > I will post a blog post about security when we will release the >> beta3. >> > >> > Short story: >> > >> > People need to be aware of what kind of things are done >> automatically >> > for them. If not, they won't understand the principles behind the >> CSRF >> > protection and then, they won't understand why you can't put a form >> with >> > CSRF protection in the cache ;) The same goes for CSS protection >> (output >> > escaping). >> > >> > In beta3, the generate:app task will have new mandatory option(s) to >> > configure the security level of the new application. It will force >> users >> > to think about the security and what to enable/disable by default. >> > >> > And here is a question for all of you. How to name this/these new >> > options. Here is my proposition: >> > >> > 2 options, one for XSS and one for CSRF: >> > >> > --xss-protection=on / off / both >> > >> > --csrf-protection=on / off >> > >> > Let's start the discussion ;) >> > >> > Fabien >> > >> > -- >> > Fabien Potencier >> > Sensio CEO - symfony lead developer >> >> > sensiolabs.com <http://sensiolabs.com> | symfony-project.com >> > <http://symfony-project.com> | aide-de-camp.org >> > <http://aide-de-camp.org> >> >> > Tél: +33 1 40 99 80 80 >> > >> > >> > Ian P. Christian wrote: >> > > Not that I'm overly bothered.... but... >> > > >> > > Why has CSRF been disabled by default? >> > > >> > > Kind Regards, >> > > >> > > Ian >> > > >> > > > >> > > >> > > >> > >> > >> > >> > >> > >> > >> > -- >> > Lucas Stephanou >> > > >> >> >> > >> >> > >> --~--~---------~--~----~------------~-------~--~----~ You received this message because you are subscribed to the Google Groups "symfony developers" group. To post to this group, send email to [email protected] To unsubscribe from this group, send email to [EMAIL PROTECTED] For more options, visit this group at http://groups.google.com/group/symfony-devs?hl=en -~----------~----~----~----~------~----~------~--~---
