Contributed by Jérémy Derussé in #39919.
BREACH is a security exploit against HTTPS when using HTTP compression. This kind of compression side-channel attacks are used to read some data by knowing only the size of the compressed data. Your site is at risk if attackers can read the size of your encrypted traffic and can also make any number of HTTP requests with CSRF tokens. The traditional way of mitigating this attack was to disable HTTP compression, which hurts performance significantly. Another possible solution is to ensure that CSRF tokens include some randomness, to prevent repetitive output in your responses. That’s why in Symfony 5.3 CSRF tokens are automatically randomized. This randomization process is transparent to the application, so you don’t need to configure anything and you don’t need to change your application code. If you disabled compression when using HTTPS because of this attack, upgrade to Symfony 5.3 and enable compression again to improve your site performance. This is yet another reason why using a professional framework like Symfony is better in the long run. Symfony will protect your application and your users against many common security vulnerabilities, even those you are not aware of.
Sponsor the Symfony project.Connectez-vous pour ajouter un commentaire
Autres messages de ce groupe
This week, development activity mostly focused on dealing with the deprecation of sleep/wakeup methods in PHP 8.5 and their replacement by serialize/unserialize methods. In addition, we published more
It’s been only in July that we published symfony/ai and kicked off our AI initiative, but the repository has been busy since day one. Over 500 stars, more than 200 pull requests & issues, trending
🎤 Take the stage at SymfonyCon Amsterdam 2025, on your own terms!
The Unconference track is back and more dynamic than ever!
This unique, participant-driven format invites attendees to shape
This week, Symfony completed the migration to PHPUnit 12 in the 7.4 branch, which required many changes during the past weeks, such as replacing annotations with attributes. In addition, we updated th
🧑💻HACKDAY IS COMING!
Get ready to code, collaborate, and contribute, Symfony Hackday is back!
Join us in Amsterdam on Saturday, November 29th, for a hands-on hackathon designed to bring the
This week, Symfony released the maintenance versions 6.4.24, 7.2.9, and 7.3.2. Meanwhile, we began deprecating the XML configuration format in some components, enhanced the YAML configuration format t
Symfony 6.4.24 has just been released. Read the Symfony upgrade guide to learn more about upgrading Symfony and use the SymfonyInsight upgrade reports to detect the code you will need to change in you
