Global Configuration of CSRF Token Names #37112
Description
Description
Allow changing of the default token name by configuration file.
In framwork.yaml, we'd be able to do something like:
framework:
csrf_protection: true
csrf_token_name:my_custom_csrf_token_name
In some automated scanners such as OWASP Zap and Tenable.io, the scanner checks for a CSRF token are based on the field name. They look for a form field with a predefined name and id such as "_anticsrf", "csrf", etc. In cases where the CSRF token name used by Symfony are not what the scanner is looking for, a false positive security violation can be detected since the scanner won't recognize that the token field is a valid anti-csrf token.
Example
Instead of name="form_name[_token]", could I designate what the token name can be? i.e: name="form_name[_csrf_token_custom_name]" .
This would be something that could be customized at the app/global level rather than configuring each formType options individually as stated in the docs: https://symfony.com/doc/4.4/security/csrf.html#csrf-protection-in-symfony-forms
public function configureOptions(OptionsResolver $resolver)
{
$resolver->setDefaults([
'data_class' => Task::class,
// enable/disable CSRF protection for this form
'csrf_protection' => true,
// the name of the hidden HTML field that stores the token
'csrf_field_name' => '_token',
// an arbitrary string used to generate the value of the token
// using a different string for each form improves its security
'csrf_token_id' => 'task_item',
]);
}
This would also be an alternative to writing a custom form type extension.
Some relevant links:
Does this seem like a good idea compared to writing a form extension and wiring it at a service?
Regardless, thank you for your consideration!