Skip to content

Commit

Permalink
Merge pull request #8164 from kenjis/docs-warning-cookie-csrf
Browse files Browse the repository at this point in the history
docs: add warning about Cookie based CSRF protection
  • Loading branch information
kenjis authored Nov 7, 2023
2 parents 56ed444 + 1b0d777 commit 6014daf
Showing 1 changed file with 6 additions and 0 deletions.
6 changes: 6 additions & 0 deletions user_guide_src/source/libraries/security.rst
Original file line number Diff line number Diff line change
Expand Up @@ -71,6 +71,12 @@ Config for CSRF
CSRF Protection Methods
-----------------------

.. warning:: If you use :doc:`Session <./sessions>`, be sure to use Session based
CSRF protection. Cookie based CSRF protection will not prevent Same-site attacks.
See
`GHSA-5hm8-vh6r-2cjq <https://github.com/codeigniter4/shield/security/advisories/GHSA-5hm8-vh6r-2cjq>`_
for details.

By default, the Cookie based CSRF Protection is used. It is
`Double Submit Cookie <https://cheatsheetseries.owasp.org/cheatsheets/Cross-Site_Request_Forgery_Prevention_Cheat_Sheet.html#double-submit-cookie>`_
on OWASP Cross-Site Request Forgery Prevention Cheat Sheet.
Expand Down

0 comments on commit 6014daf

Please sign in to comment.