mirror of
https://github.com/silverstripe/silverstripe-framework
synced 2024-09-18 07:26:40 +02:00
6348f2e3e8
Changed the `strictFormMethodCheck` protected property from false to true to step out on the front foot with this security setting. In the documentation under the title [Cross-Site Request Forgery](https://github.com/silverstripe/silverstripe-framework/blob/master/docs/en/02_Developer_Guides/09_Security/04_Secure_Coding.md#cross-site-request-forgery-csrf) it states, "it is also recommended to limit form submissions to the intended HTTP verb (mostly GET or POST) through [api:Form::setStrictFormMethodCheck()]." The same advice is noted in [Form Security](c2292a4cc1/docs/en/02_Developer_Guides/03_Forms/04_Form_Security.md (strict-form-submission)
). Why not make this the default behaviour? Is there a scenario where this would cause a problem? Have manually tested in the CMS (alpha7) and is working fine. Note: Original commit that establised the API Form::setStrictFormMethodCheck is14c59be8
.
76 lines
2.9 KiB
Markdown
76 lines
2.9 KiB
Markdown
title: Form Security
|
|
summary: Ensure Forms are secure against Cross-Site Request Forgery attacks, bots and other malicious intent.
|
|
|
|
# Form Security
|
|
|
|
Whenever you are accepting or asking users to input data to your application there comes an added responsibility that it
|
|
should be done as safely as possible. Below outlines the things to consider when building your forms.
|
|
|
|
## Cross-Site Request Forgery (CSRF)
|
|
|
|
SilverStripe protect users against [Cross-Site Request Forgery](https://www.owasp.org/index.php/Cross-Site_Request_Forgery_(CSRF)
|
|
(known as `CSRF`) by adding a SecurityID [api:HiddenField] to each [api:Form] instance. The `SecurityID` contains a
|
|
random string generated by [api:SecurityToken] to identify the particular user request vs a third-party forging fake
|
|
requests.
|
|
|
|
<div class="info" markdown="1">
|
|
For more information on Cross-Site Request Forgery, consult the [OWASP](https://www.owasp.org/index.php/Cross-Site_Request_Forgery_(CSRF)
|
|
website.
|
|
</div>
|
|
|
|
The `SecurityToken` automatically added looks something like:
|
|
|
|
:::php
|
|
$form = new Form(..);
|
|
echo $form->getSecurityToken()->getValue();
|
|
|
|
// 'c443076989a7f24cf6b35fe1360be8683a753e2c'
|
|
|
|
This token value is passed through the rendered Form HTML as a [api:HiddenField].
|
|
|
|
:::html
|
|
<input type="hidden" name="SecurityID" value="c443076989a7f24cf6b35fe1360be8683a753e2c" class="hidden" />
|
|
|
|
The token should be present whenever a operation has a side effect such as a `POST` operation.
|
|
|
|
It can be safely disabled for `GET` requests as long as it does not modify the database (i.e a search form does not
|
|
normally require a security token).
|
|
|
|
:::php
|
|
$form = new Form(..);
|
|
$form->disableSecurityToken();
|
|
|
|
<div class="alert" markdown="1">
|
|
Do not disable the SecurityID for forms that perform some modification to the users session. This will open your
|
|
application up to `CSRF` security holes.
|
|
</div>
|
|
|
|
## Strict Form Submission
|
|
|
|
To reduce attack exposure forms are limited, by default, to the intended HTTP verb (mostly `GET` or `POST`). Without
|
|
this check, forms that rely on `GET` can be submitted via `POST` or `PUT` or vice-versa potentially leading to
|
|
application errors or edge cases. If you need to disable this setting follow the below example:
|
|
|
|
:::php
|
|
$form = new Form(..);
|
|
|
|
$form->setFormMethod('POST');
|
|
$form->setStrictFormMethodCheck(false);
|
|
|
|
// or alternative short notation..
|
|
$form->setFormMethod('POST', false);
|
|
|
|
## Spam and Bot Attacks
|
|
|
|
SilverStripe has no built-in protection for detailing with bots, captcha or other spam protection methods. This
|
|
functionality is available as an additional [Spam Protection](https://github.com/silverstripe/silverstripe-spamprotection)
|
|
module if required. The module provides an consistent API for allowing third-party spam protection handlers such as
|
|
[Recaptcha](http://www.google.com/recaptcha/intro/) and [Mollom](https://mollom.com/) to work within the `Form` API.
|
|
|
|
## Related Documentation
|
|
|
|
* [Security](../security)
|
|
|
|
## API Documentation
|
|
|
|
* [api:SecurityToken] |