On 31 Mrz., 18:21, Fabien POTENCIER <[EMAIL PROTECTED] project.com> wrote: > Francois Zaninotto wrote: > > Given the 'convention over configuration' mantra, I'm not sure forcing > > two config options at creation time is a good idea either. > > > Documentationwise, that would imply explaining the security caveats of > > every web app even in a novice symfony tutorial. There is a time to do > > this, in the learning process of professional application development, > > but it is probably not when you give the framework a try. > > You're right. After some thought, I think that when you create a new > application, it's not the time to force the user to learn about XSS or > CSRF. It's too late.
Right, it is too late here but maybe you can make a compromise between forcing the user to provide these options and not to make this too complicated: What about some "interactive questions"? These options could be "required" - and if not given the task could ask the user: You need to setup the security levels. Upper case is the default value. If you are not sure what this means please have a look at the documentation [...]. A safe answer is to leave the default values. XSS-Protection [ON/off/both]: CSRF-Protection [ON/off]: regards, Matthias > > > > So I'm more in favor of an "unsecure" default, but with a new doc > > chapter explaining all the security risks and all the bad things that > > could happen, unless... You change two settings in the settings.yml. > > > My 2c, > > > François > > > 2008/3/31, Fabien POTENCIER <[EMAIL PROTECTED] > > <mailto:[EMAIL PROTECTED]>>: > > > Lucas Stephanou wrote: > > > I think that security options must be on be default, educate > > developers > > > is lovely but when creating web applications isn't right place to > > do that. > > > So I do vote to both protection on and if someone want to disable( > > > knowing what he was doing) do it explicit. > > > The name for options are ok. > > > There is no default. When you create an application, you must provide > > those 2 options. > > > Fabien > > > > On Mon, Mar 31, 2008 at 10:11 AM, Fabien POTENCIER > > > <[EMAIL PROTECTED] > > <mailto:[EMAIL PROTECTED]> > > > > <mailto:[EMAIL PROTECTED] > > <mailto:[EMAIL PROTECTED]>>> wrote: > > > > I will post a blog post about security when we will release > > the beta3. > > > > Short story: > > > > People need to be aware of what kind of things are done > > automatically > > > for them. If not, they won't understand the principles behind > > the CSRF > > > protection and then, they won't understand why you can't put > > a form with > > > CSRF protection in the cache ;) The same goes for CSS > > protection (output > > > escaping). > > > > In beta3, the generate:app task will have new mandatory > > option(s) to > > > configure the security level of the new application. It will > > force users > > > to think about the security and what to enable/disable by > > default. > > > > And here is a question for all of you. How to name this/these new > > > options. Here is my proposition: > > > > 2 options, one for XSS and one for CSRF: > > > > --xss-protection=on / off / both > > > > --csrf-protection=on / off > > > > Let's start the discussion ;) > > > > Fabien > > > > -- > > > Fabien Potencier > > > Sensio CEO - symfony lead developer > > > > sensiolabs.com <http://sensiolabs.com> > > <http://sensiolabs.com> | symfony-project.com > > <http://symfony-project.com> > > > <http://symfony-project.com> | aide-de-camp.org > > <http://aide-de-camp.org> > > > <http://aide-de-camp.org> > > > > Tél: +33 1 40 99 80 80 > > > > Ian P. Christian wrote: > > > > Not that I'm overly bothered.... but... > > > > > Why has CSRF been disabled by default? > > > > > Kind Regards, > > > > > Ian > > > > -- > > > Lucas Stephanou --~--~---------~--~----~------------~-------~--~----~ You received this message because you are subscribed to the Google Groups "symfony developers" group. To post to this group, send email to [email protected] To unsubscribe from this group, send email to [EMAIL PROTECTED] For more options, visit this group at http://groups.google.com/group/symfony-devs?hl=en -~----------~----~----~----~------~----~------~--~---
