tonyair/silverstripe-framework
1
0
Fork 0
mirror of https://github.com/silverstripe/silverstripe-framework synced 2024-10-22 14:05:37 +02:00
Code Issues Projects Releases Wiki Activity
f9ea752bae
silverstripe-framework/docs/en/02_Developer_Guides
History
Antony Thorpe 6348f2e3e8 Updated Form.php & 04_Form_Security.md 
Changed the `strictFormMethodCheck` protected property from false to true to step out on the front foot with this security setting.  In the documentation under the title [Cross-Site Request Forgery](https://github.com/silverstripe/silverstripe-framework/blob/master/docs/en/02_Developer_Guides/09_Security/04_Secure_Coding.md#cross-site-request-forgery-csrf) it states, "it is also recommended to limit form submissions to the intended HTTP verb (mostly GET or POST) through [api:Form::setStrictFormMethodCheck()]."  The same advice is noted in [Form Security](c2292a4cc1/docs/en/02_Developer_Guides/03_Forms/04_Form_Security.md (strict-form-submission)).

Why not make this the default behaviour?  Is there a scenario where this would cause a problem?  Have manually tested in the CMS (alpha7) and is working fine.

Note: Original commit that establised the API Form::setStrictFormMethodCheck is 14c59be8.
2017-06-06 21:10:49 +12:00
..
00_Model DOCS Updating index definition examples 2017-05-25 23:29:12 +01:00
01_Templates API Consistent use of inst() naming across framework 2017-05-19 14:38:06 +12:00
02_Controllers Update config documentation 2017-02-27 16:54:01 +13:00
03_Forms Updated Form.php & 04_Form_Security.md 2017-06-06 21:10:49 +12:00
04_Configuration Update YAML format to use namespace 2017-05-16 11:49:39 +01:00
05_Extending DOCS Fixed namespace for factory 2017-04-21 10:54:21 +12:00
06_Testing Remove TestListener and rely on PHPUnits APIs 2017-03-30 11:46:58 +13:00
07_Debugging FIX: Show detailed errors on CLI for live environments 2017-05-01 15:28:48 +12:00
08_Performance API Use symfony/cache (fixes #6252) 2017-02-26 13:07:59 +13:00
09_Security Secure Coding - Security Headers, Force HTTPS and Cookies 2017-04-13 13:59:02 +12:00
10_Email DOCS Email docs and upgrade notes 2017-01-13 16:12:25 +00:00
11_Integration DOCS Update docs to reference PageController without an underscore, implement some PSR-2 2017-01-11 09:59:28 +13:00
12_Search DOCS Updating index definition examples 2017-05-25 23:29:12 +01:00
13_i18n Doc dateformats with calendar year 2017-05-08 22:08:14 +12:00
14_Files API Rename services to match FQN of interface / classes 2017-05-16 14:15:49 +12:00
15_Customising_the_Admin_Interface update docs with new api 2017-05-25 16:34:32 +12:00
16_Execution_Pipeline API Consistent use of inst() naming across framework 2017-05-19 14:38:06 +12:00
17_CLI API Replace SS_HOST with SS_BASE_URL 2017-04-20 22:28:57 +12:00
18_Cookies_And_Sessions Merge remote-tracking branch 'origin/3' 2016-01-20 13:16:27 +13:00
index.md Add introduction files to each of the sections 2014-12-17 15:48:54 +13:00