Important

You are browsing upcoming documentation for version 6.1 of OroCommerce, scheduled for release in 2025. Read the documentation for version 6.0 (the latest LTS version) to get up-to-date information.

See our Release Process documentation for more information on the currently supported and upcoming releases.

CSRF Protection 

Cross-Site Request Forgery (CSRF) is an attack that forces an end user to execute unwanted actions on a web application in which they are currently authenticated.

AJAX Request CSRF Protection 

To protect controllers against CSRF, use AJAX #[CsrfProtection] attribute. You can use it for the whole controller or individual actions.

Double Submit Cookie technique used for AJAX request protection, each AJAX request must have an X-CSRF-Header header with a valid token value, this header is added by default to all AJAX requests. The current token value is stored in the cookie _csrf for HTTP connections and https-_csrf for HTTPS.

Controller level protection

src/Acme/Bundle/DemoBundle/Controller/FavoriteController.php 
<?php

namespace Acme\Bundle\DemoBundle\Controller;

use Acme\Bundle\DemoBundle\Entity\Favorite;
use Oro\Bundle\EntityBundle\ORM\DoctrineHelper;
use Oro\Bundle\SecurityBundle\Attribute\Acl;
use Oro\Bundle\SecurityBundle\Attribute\AclAncestor;
use Oro\Bundle\SecurityBundle\Attribute\CsrfProtection;
use Oro\Bundle\SecurityBundle\ORM\Walker\AclHelper;
use Sensio\Bundle\FrameworkExtraBundle\Configuration\Template;
use Symfony\Bundle\FrameworkBundle\Controller\AbstractController;
use Symfony\Component\Routing\Annotation\Route;
use Symfony\Component\Security\Acl\Voter\FieldVote;
use Symfony\Component\Security\Core\Exception\AccessDeniedException;

/**
 * Contains CRUD actions for Favorite
 */
#[Route(path: '/favorite', name: 'acme_demo_favorite_')]
    #[CsrfProtection]
#[Route(path: '/favorite', name: 'acme_demo_favorite_')]
class FavoriteController extends AbstractController
{
}

Action level protection

src/Acme/Bundle/DemoBundle/Controller/FavoriteController.php 
<?php

namespace Acme\Bundle\DemoBundle\Controller;

    #[Route(path: '/custom', name: 'custom')]
    #[CsrfProtection]
    #[Template('@AcmeDemo/Favorite/index.html.twig')]
    #[Acl(
        id: 'acme_demo_favorite_custom',
        type: 'entity',
        class: 'Acme\Bundle\DemoBundle\Entity\Favorite',
        permission: 'VIEW'
    )]
    public function customAction(): array
    {
        return ['entity_class' => Favorite::class];
    }