Contributed by Jérémy Derussé in #39919.
BREACH is a security exploit against HTTPS when using HTTP compression. This kind of compression side-channel attacks are used to read some data by knowing only the size of the compressed data. Your site is at risk if attackers can read the size of your encrypted traffic and can also make any number of HTTP requests with CSRF tokens. The traditional way of mitigating this attack was to disable HTTP compression, which hurts performance significantly. Another possible solution is to ensure that CSRF tokens include some randomness, to prevent repetitive output in your responses. That’s why in Symfony 5.3 CSRF tokens are automatically randomized. This randomization process is transparent to the application, so you don’t need to configure anything and you don’t need to change your application code. If you disabled compression when using HTTPS because of this attack, upgrade to Symfony 5.3 and enable compression again to improve your site performance. This is yet another reason why using a professional framework like Symfony is better in the long run. Symfony will protect your application and your users against many common security vulnerabilities, even those you are not aware of.
Sponsor the Symfony project.Connectez-vous pour ajouter un commentaire
Autres messages de ce groupe
SymfonyLive Berlin 2025, conference held in English, will take place from April 1 to 4! The schedule is being revealed gradually. More details are available here.
As we are now unveiling th
SymfonyLive Paris 2025, conference in French language only, will take place from March 27 to 28! The schedule is currently being revealed as we go along. More details are available here.
Al
SymfonyLive Berlin 2025, conference held in English, will take place from April 1 to 4! The schedule is being revealed gradually. More details are available here.
First, a big thank you to
SymfonyLive Paris 2025, conference in French language only, will take place from March 27 to 28! The schedule is currently being revealed as we go along. More details are available here.
To
Mark your calendars for March 17, 2025 because SymfonyDay Chicago 2025 promises to be a one-of-a-kind event that you won’t want to miss! This full day is dedicated to celebrating the incredible contri
This week, Symfony celebrated the SymfonyOnline January 2025 conference. In addition, it announced the new Symfony UX Core Team. Lastly, the upcoming Symfony 7.3 version simplified the configuration o
The Symfony UX initiative was announced in December 2020. It was introduced to enhance the developer experience by integrating JavaScript tools and libraries more seamlessly with Symfony applications,
