Reputation: 380
How secured if Cross Site Request Forgery(CSRF) to be enabled in Cakephp?
First of all, the confusion comes from CSRF and Check Your Security in the development section of cake document.
From CSRF:
By enabling the CSRF Component you get protection against attacks. CSRF or Cross Site Request Forgery is a common vulnerability in web applications. It allows an attacker to capture and replay a previous request, and sometimes submit data requests using image tags or resources on other domains.
At the first line, it is telling CSRF protects against attacks. and then in third line, saying that it allows attackers to capture and replay previous request and bla bla bla.
And From Development:
Ensure you are using the Cross Site Request Forgery.
So why it is recommended in the Document to enable CSRF and confirmed at Check Your Security if attackers can capture/replay the previous request?
And How can it be secured if that so?
Thanks
Upvotes: 0
Views: 119
Answers (1)
Reputation: 60463
You seem to be confused by the terms and the maybe misleading wording. Of course the components sole purpose is to defend CSRF attacks, it is definitely not ment to make them possible!
Imagine the word "CSRF" before the word "attacks"
By enabling the CSRF Component you get protection against CSRF attacks. CSRF or Cross Site Request Forgery is a common vulnerability in web applications [...]
and the second quoted sentence is missing the word "component"
Ensure you are using the Cross Site Request Forgery component.
Upvotes: 2
Related Questions
- Disabling CSRF on a specific action CakePHP 3
- How to enable Security(CSRF) alone in Cake 2.0
- Cross site request forgery
- Form keys (CSRF) in CakePHP
- Cross site request forgery (CSRF) mitigation
- preventing cross site request forgery in the url
- Avoid CSRF attacks by creating form with JavaScript on CakePHP
- Cross-site request forgery Yii ,PHP
- Cakephp regarding Security Component and CSRF protection
- CakePHP and CSRF