From 8fd466c3ccf1d91baca933428b68a9551e9d9b56 Mon Sep 17 00:00:00 2001 From: Florent Morselli Date: Fri, 12 Dec 2025 13:01:54 +0100 Subject: [PATCH] Enhance CSRF documentation with OWASP best practices and guidelines --- security/csrf.rst | 12 ++++++++++++ 1 file changed, 12 insertions(+) diff --git a/security/csrf.rst b/security/csrf.rst index 48a5f3f03e0..bb604739553 100644 --- a/security/csrf.rst +++ b/security/csrf.rst @@ -5,6 +5,17 @@ CSRF, or `Cross-site request forgery`_, is a type of attack where a malicious ac tricks a user into performing actions on a web application without their knowledge or consent. +.. note:: + + According to `OWASP best practices`_, CSRF protection is only required for + **state-changing operations**. Do not use GET requests for state-changing + operations, as recommended by the HTTP specification. CSRF tokens must not be + transmitted in GET request parameters, as they can leak through browser history, + log files, network utilities, and Referer headers. + + If you need to disable CSRF protection for specific forms (for example, forms + that only perform read operations), see :ref:`form-csrf-customization`. + The attack is based on the trust that a web application has in a user's browser (e.g. on session cookies). Here's a real example of a CSRF attack: a malicious actor could create the following website: @@ -529,6 +540,7 @@ validation has been proven effective, it remains enforced for that session. fall back to ``Origin`` / ``Referer`` checks when JavaScript is unavailable. .. _`Cross-site request forgery`: https://en.wikipedia.org/wiki/Cross-site_request_forgery +.. _`OWASP best practices`: https://cheatsheetseries.owasp.org/cheatsheets/Cross-Site_Request_Forgery_Prevention_Cheat_Sheet.html .. _`BREACH`: https://en.wikipedia.org/wiki/BREACH .. _`CRIME`: https://en.wikipedia.org/wiki/CRIME .. _`some JavaScript`: https://github.com/symfony/recipes/blob/main/symfony/stimulus-bundle/2.20/assets/controllers/csrf_protection_controller.js