Kris Wallsmith wrote: > ...but I generally try to obscure the technology behind the sites I work > on. For example, I always remove the /sf alias from the web directory in > production and use a custom CSRF field name. > > I see a few more "tells" in the current 1.1 and 1.2 branches that may > not be as easy to opt-out of, namely the [1.1, 1.2] sf_format and [1.2] > sf_method request parameters. Is there a way to customize these > parameter names or disable that magic altogether and rely solely on HTTP > headers? If not, this "magic" smells a bit like the whole > register_globals debacle...
sf_format is never ever revealed in HTML as most of the time, it's embedded in your routes. The sf_method parameter is not mandatory. Just don't use PUT and DELETE in your browser. Fabien > > Thanks, > Kris > > > > --~--~---------~--~----~------------~-------~--~----~ You received this message because you are subscribed to the Google Groups "symfony developers" group. To post to this group, send email to [email protected] To unsubscribe from this group, send email to [EMAIL PROTECTED] For more options, visit this group at http://groups.google.com/group/symfony-devs?hl=en -~----------~----~----~----~------~----~------~--~---
