From 1b0d777eefab1191fc243932668cb64539a36edc Mon Sep 17 00:00:00 2001 From: kenjis Date: Tue, 7 Nov 2023 13:06:09 +0900 Subject: [PATCH] docs: add warning about Cookie based CSRF protection --- user_guide_src/source/libraries/security.rst | 6 ++++++ 1 file changed, 6 insertions(+) diff --git a/user_guide_src/source/libraries/security.rst b/user_guide_src/source/libraries/security.rst index 6c39cbefdb5e..407b99725103 100644 --- a/user_guide_src/source/libraries/security.rst +++ b/user_guide_src/source/libraries/security.rst @@ -71,6 +71,12 @@ Config for CSRF CSRF Protection Methods ----------------------- +.. warning:: If you use :doc:`Session <./sessions>`, be sure to use Session based + CSRF protection. Cookie based CSRF protection will not prevent Same-site attacks. + See + `GHSA-5hm8-vh6r-2cjq `_ + for details. + By default, the Cookie based CSRF Protection is used. It is `Double Submit Cookie `_ on OWASP Cross-Site Request Forgery Prevention Cheat Sheet.