Skip to content

Commit eeaa4db

Browse files
kenjiskenjis
committed
docs: move CSRF Protection Methods section up
This is a basic config item, so it is better to have it at the beginning.
1 parent fab038d commit eeaa4db

1 file changed

Lines changed: 15 additions & 16 deletions

File tree

user_guide_src/source/libraries/security.rst

Lines changed: 15 additions & 16 deletions
Original file line numberDiff line numberDiff line change
@@ -26,6 +26,21 @@ Cross-site request forgery (CSRF)
2626
.. warning:: The CSRF Protection is only available for **POST/PUT/PATCH/DELETE** requests.
2727
Requests for other methods are not protected.
2828

29+
CSRF Protection Methods
30+
=======================
31+
32+
By default, the Cookie based CSRF Protection is used. It is
33+
`Double Submit Cookie <https://cheatsheetseries.owasp.org/cheatsheets/Cross-Site_Request_Forgery_Prevention_Cheat_Sheet.html#double-submit-cookie>`_
34+
on OWASP Cross-Site Request Forgery Prevention Cheat Sheet.
35+
36+
You can also use Session based CSRF Protection. It is
37+
`Synchronizer Token Pattern <https://cheatsheetseries.owasp.org/cheatsheets/Cross-Site_Request_Forgery_Prevention_Cheat_Sheet.html#synchronizer-token-pattern>`_.
38+
39+
You can set to use the Session based CSRF protection by editing the following config parameter value in
40+
**app/Config/Security.php**::
41+
42+
public $csrfProtection = 'session';
43+
2944
Enable CSRF Protection
3045
======================
3146

@@ -130,22 +145,6 @@ than simply crashing. This can be turned off by editing the following config par
130145

131146
Even when the redirect value is ``true``, AJAX calls will not redirect, but will throw an error.
132147

133-
=======================
134-
CSRF Protection Methods
135-
=======================
136-
137-
By default, the Cookie based CSRF Protection is used. It is
138-
`Double Submit Cookie <https://cheatsheetseries.owasp.org/cheatsheets/Cross-Site_Request_Forgery_Prevention_Cheat_Sheet.html#double-submit-cookie>`_
139-
on OWASP Cross-Site Request Forgery Prevention Cheat Sheet.
140-
141-
You can also use Session based CSRF Protection. It is
142-
`Synchronizer Token Pattern <https://cheatsheetseries.owasp.org/cheatsheets/Cross-Site_Request_Forgery_Prevention_Cheat_Sheet.html#synchronizer-token-pattern>`_.
143-
144-
You can set to use the Session based CSRF protection by editing the following config parameter value in
145-
**app/Config/Security.php**::
146-
147-
public $csrfProtection = 'session';
148-
149148
*********************
150149
Other Helpful Methods
151150
*********************

0 commit comments

Comments
 (0)