- 필수 기능
- 시작하기
- Glossary
- 표준 속성
- Guides
- Agent
- 통합
- 개방형텔레메트리
- 개발자
- Administrator's Guide
- API
- Datadog Mobile App
- CoScreen
- Cloudcraft
- 앱 내
- 서비스 관리
- 인프라스트럭처
- 애플리케이션 성능
- APM
- Continuous Profiler
- 스팬 시각화
- 데이터 스트림 모니터링
- 데이터 작업 모니터링
- 디지털 경험
- 소프트웨어 제공
- 보안
- AI Observability
- 로그 관리
- 관리
ID: php-security/symfony-csrf-disabled
Language: PHP
Severity: Error
Category: Security
CWE: 352
CSRF (Cross-Site Request Forgery) is an attack that tricks the victim into submitting a malicious request. It uses the identity and privileges of the victim to perform an undesired function on their behalf.
Disabling CSRF protection exposes your application to such attacks, compromising user data and potentially leading to unauthorized actions. For instance, an attacker could forge a request to change the email address on record for the victim’s account, effectively hijacking the account.
To avoid violating this rule, ensure that ‘csrf_protection’ is set to true in your PHP code.
<?php
class Foo
{
public function configureOptions(OptionsResolver $resolver)
{
$resolver->setDefaults([
'data_class' => Type::class,
'csrf_protection' => false
]);
$resolver->setDefaults(array(
'csrf_protection' => false
));
}
}
class Bar extends Extension implements PrependExtensionInterface
{
public function prepend(ContainerBuilder $container)
{
$container->prependExtensionConfig('framework', ['csrf_protection' => false]);
$container->loadFromExtension('framework', ['csrf_protection' => false]);
}
}
class Baz extends AbstractController
{
public function action()
{
$this->createForm(TaskType::class, $task, array(
'csrf_protection' => false,
));
}
}
<?php
class Foo
{
public function configureOptions(OptionsResolver $resolver)
{
$resolver->setDefaults([
'data_class' => Type::class,
'csrf_protection' => true,
]);
$resolver->setDefaults(array(
'csrf_protection' => true,
));
}
}
class Bar extends Extension implements PrependExtensionInterface
{
public function prepend(ContainerBuilder $container)
{
$container->prependExtensionConfig('framework', ['csrf_protection' => true]);
$container->loadFromExtension('framework', ['csrf_protection' => true]);
}
}
class Baz extends AbstractController
{
public function action()
{
$this->createForm(TaskType::class, $task, array(
'csrf_protection' => true,
));
}
}