2014-10-19 10:32:34 +02:00
title: Form Security
summary: Ensure Forms are secure against Cross-Site Request Forgery attacks, bots and other malicious intent.
# Form Security
Whenever you are accepting or asking users to input data to your application there comes an added responsibility that it
should be done as safely as possible. Below outlines the things to consider when building your forms.
## Cross-Site Request Forgery (CSRF)
SilverStripe protect users against [Cross-Site Request Forgery ](https://www.owasp.org/index.php/Cross-Site_Request_Forgery_(CSRF )
2017-07-03 03:22:12 +02:00
(known as `CSRF` ) by adding a SecurityID [HiddenField ](api:SilverStripe\Forms\HiddenField ) to each [Form ](api:SilverStripe\Forms\Form ) instance. The `SecurityID` contains a
random string generated by [SecurityToken ](api:SilverStripe\Security\SecurityToken ) to identify the particular user request vs a third-party forging fake
2014-10-19 10:32:34 +02:00
requests.
< div class = "info" markdown = "1" >
For more information on Cross-Site Request Forgery, consult the [OWASP ](https://www.owasp.org/index.php/Cross-Site_Request_Forgery_(CSRF )
website.
< / div >
The `SecurityToken` automatically added looks something like:
2017-08-03 02:51:32 +02:00
```php
2017-10-27 04:38:27 +02:00
use SilverStripe\Forms\Form;
2014-10-19 10:32:34 +02:00
2017-10-27 04:38:27 +02:00
$form = new Form(..);
echo $form->getSecurityToken()->getValue();
// 'c443076989a7f24cf6b35fe1360be8683a753e2c'
2017-08-03 02:51:32 +02:00
```
2014-10-19 10:32:34 +02:00
2017-07-03 03:22:12 +02:00
This token value is passed through the rendered Form HTML as a [HiddenField ](api:SilverStripe\Forms\HiddenField ).
2017-08-03 02:51:32 +02:00
2017-10-27 04:38:27 +02:00
```html
< input type = "hidden" name = "SecurityID" value = "c443076989a7f24cf6b35fe1360be8683a753e2c" class = "hidden" / >
2017-08-03 02:51:32 +02:00
```
2014-10-19 10:32:34 +02:00
The token should be present whenever a operation has a side effect such as a `POST` operation.
It can be safely disabled for `GET` requests as long as it does not modify the database (i.e a search form does not
normally require a security token).
2017-08-03 02:51:32 +02:00
```php
2017-10-27 04:38:27 +02:00
$form = new Form(..);
$form->disableSecurityToken();
2017-08-03 02:51:32 +02:00
```
2014-10-19 10:32:34 +02:00
< div class = "alert" markdown = "1" >
Do not disable the SecurityID for forms that perform some modification to the users session. This will open your
application up to `CSRF` security holes.
< / div >
## Strict Form Submission
2017-06-06 08:14:59 +02:00
To reduce attack exposure forms are limited, by default, to the intended HTTP verb (mostly `GET` or `POST` ). Without
2014-10-19 10:32:34 +02:00
this check, forms that rely on `GET` can be submitted via `POST` or `PUT` or vice-versa potentially leading to
2017-06-06 08:14:59 +02:00
application errors or edge cases. If you need to disable this setting follow the below example:
2014-10-19 10:32:34 +02:00
2017-08-03 02:51:32 +02:00
```php
2017-10-27 04:38:27 +02:00
$form = new Form(..);
2014-10-19 10:32:34 +02:00
2017-10-27 04:38:27 +02:00
$form->setFormMethod('POST');
$form->setStrictFormMethodCheck(false);
2014-10-19 10:32:34 +02:00
2017-10-27 04:38:27 +02:00
// or alternative short notation..
$form->setFormMethod('POST', false);
2017-08-03 02:51:32 +02:00
```
2014-10-19 10:32:34 +02:00
## Spam and Bot Attacks
SilverStripe has no built-in protection for detailing with bots, captcha or other spam protection methods. This
functionality is available as an additional [Spam Protection ](https://github.com/silverstripe/silverstripe-spamprotection )
module if required. The module provides an consistent API for allowing third-party spam protection handlers such as
[Recaptcha ](http://www.google.com/recaptcha/intro/ ) and [Mollom ](https://mollom.com/ ) to work within the `Form` API.
## Related Documentation
* [Security ](../security )
## API Documentation
2017-07-03 03:22:12 +02:00
* [SecurityToken ](api:SilverStripe\Security\SecurityToken )