I'm doing a website that uses a lot of Ajax requests and custom forms (hear: custom jQuery-forged POST requests with fields, or simple GET requests). I know that Ajax and Symfony forms aren't incompatible (because the server doesn't see any difference), but that's not the question.
I'm very worried on CSRF attacks because my POST requests are not using the Symfony's official way to build and check forms, so I have no automatic CSRF protection.
I have two questions:
Can I consider my POST requests as safe? The majority of CSRF attacks are done via
imgtags that points on the sensible endpoint. It is not possible to forge POST requests via images. Is the only way to do this is JavaScript injection? If I use Twig (safe user content including, thanks to HTML escaping), I will probably not have user-injected JS in the middle of my pages. So, am I out of danger?In any case, I have few GET sensible endpoints, too. I have to protect them. What is the most easy way to protect the associated actions? Append the links (GET parameter) with a token generated by the
form.csrf_providerservice, then verified at the entry of each involved action?
Aucun commentaire:
Enregistrer un commentaire