Contributed by Jérémy Derussé in #39919.
BREACH is a security exploit against HTTPS when using HTTP compression. This kind of compression side-channel attacks are used to read some data by knowing only the size of the compressed data. Your site is at risk if attackers can read the size of your encrypted traffic and can also make any number of HTTP requests with CSRF tokens. The traditional way of mitigating this attack was to disable HTTP compression, which hurts performance significantly. Another possible solution is to ensure that CSRF tokens include some randomness, to prevent repetitive output in your responses. That’s why in Symfony 5.3 CSRF tokens are automatically randomized. This randomization process is transparent to the application, so you don’t need to configure anything and you don’t need to change your application code. If you disabled compression when using HTTPS because of this attack, upgrade to Symfony 5.3 and enable compression again to improve your site performance. This is yet another reason why using a professional framework like Symfony is better in the long run. Symfony will protect your application and your users against many common security vulnerabilities, even those you are not aware of.
Sponsor the Symfony project.Login to add comment
Other posts in this group
Symfony security includes several significant improvements and new features in Symfony 7.3.
Deprecate eraseCredentials() Method… https://symfony.com/blog/new-in-symfony-7-3-security-improvements?utm_
SymfonyOnline June 2025 is almost here, starting in almost 2 months on:
June 10-11: Workshop days June 12-13: Online conference days in English. All talks will be available for replay as soon
Contributed by Antoine Bluchet in
Contributed by Nicolas Grekas in
This week, we published the second beta of Symfony 7.3, ahead of its final release later in May 2025. Meanwhile, we continued sharing posts about the new features of Symfony 7.3 and the upcoming Symfo
Symfony 7.3.0-BETA2 has just been released. This is a pre-release version of Symfony 7.3. If you want to test it in your own applications before its final release, run the following commands:
The Symfony Mailer component provides many security-related features like signing and encrypting email messages. In Symfony 7.3 we're pushing those features even further to give you greater control an
