Important

You are browsing the documentation for version 4.1 of OroCommerce, OroCRM and OroPlatform, which is no longer maintained. Read version 5.1 (the latest LTS version) of the Oro documentation to get up-to-date information.

See our Release Process documentation for more information on the currently supported and upcoming releases.

CSRF Protection

Cross-Site Request Forgery (CSRF) is an attack that forces an end user to execute unwanted actions on a web application in which they are currently authenticated.

AJAX Request CSRF Protection

To protect controllers against CSRF AJAX @CsrfProtection annotation should be used. This annotation may be used for the whole controller or for individual actions.

Double Submit Cookie technique used for AJAX request protection, each AJAX request must have a X-CSRF-Header header with a valid token value, this header is added by default to all AJAX requests. The current token value is stored in the cookie _csrf for HTTP connections and https-_csrf for HTTPS.

Controller level protection

 1 // ...
 2
 3 use Oro\Bundle\SecurityBundle\Annotation\CsrfProtection;
 4 use Symfony\Bundle\FrameworkBundle\Controller\Controller;
 5
 6 /**
 7  * @CsrfProtection
 8  */
 9 class AjaxController extends Controller
10 {
11     /**
12      * @Route("/ajax/change-stus/{statusName}", name="acme_ajax_change_status", methods={"POST"})
13      */
14     public function performAction($statusName)
15     {
16         // ...
17     }
18 }

Action level protection

 1 // ...
 2
 3 use Oro\Bundle\SecurityBundle\Annotation\CsrfProtection;
 4 use Symfony\Bundle\FrameworkBundle\Controller\Controller;
 5
 6 class AjaxController extends Controller
 7 {
 8     /**
 9      * @Route("/ajax/change-stus/{statusName}", name="acme_ajax_change_status", methods={"POST"})
10      * @CsrfProtection
11      */
12     public function performAction($statusName)
13     {
14         // ...
15     }
16 }