Important

You are browsing documentation for version 5.0 of OroCommerce. Support of this version ended in January 2025. Read the documentation for version 6.1 (the latest LTS version) to get up-to-date information.

See our Release Process documentation for more information on the currently supported and upcoming releases.

CSRF Protection

Cross-Site Request Forgery (CSRF) is an attack that forces an end user to execute unwanted actions on a web application in which they are currently authenticated.

AJAX Request CSRF Protection

To protect controllers against CSRF, use AJAX @CsrfProtection annotation. You can use it for the whole controller or individual actions.

Double Submit Cookie technique used for AJAX request protection, each AJAX request must have an X-CSRF-Header header with a valid token value, this header is added by default to all AJAX requests. The current token value is stored in the cookie _csrf for HTTP connections and https-_csrf for HTTPS.

Controller level protection

// ...

use Oro\Bundle\SecurityBundle\Annotation\CsrfProtection;
use Symfony\Bundle\FrameworkBundle\Controller\AbstractController;

/**
 * @CsrfProtection
 */
class AjaxController extends AbstractController
{
    /**
     * @Route("/ajax/change-stus/{statusName}", name="acme_ajax_change_status", methods={"POST"})
     */
    public function performAction($statusName)
    {
        // ...
    }
}

Action level protection

// ...

use Oro\Bundle\SecurityBundle\Annotation\CsrfProtection;
use Symfony\Bundle\FrameworkBundle\Controller\AbstractController;

class AjaxController extends AbstractController
{
    /**
     * @Route("/ajax/change-stus/{statusName}", name="acme_ajax_change_status", methods={"POST"})
     * @CsrfProtection
     */
    public function performAction($statusName)
    {
        // ...
    }
}