Security defaults / Forums / Community / EllisLab

Forum Logo

Security defaults

Posted: 02 May 2012 02:48 PM

[ Ignore ]

Joined: 2012-05-02
15 posts

Is there any down side to adding the following to application/config/config.php?

$config['global_xss_filtering'] = TRUE;
$config['csrf_protection'] = TRUE; 

I am kind of surprised that this is not the default, so I thought I would ask why it is not.

skunkbad

Posted: 02 May 2012 07:04 PM

[ Ignore ] [ # 1 ] [ Rating: 0 ]

Joined: 2009-05-17
1415 posts

Kenneth Vogt - 02 May 2012 02:48 PM
Is there any down side to adding the following to application/config/config.php?
$config['global_xss_filtering'] = TRUE; $config['csrf_protection'] = TRUE;

I am kind of surprised that this is not the default, so I thought I would ask why it is not.

Yes, there is some downsides. With CSRF, I consider what happens when a post fails to be unacceptable. I use my own CSRF library. With global xss filtering, you are using extra system resources, sometimes for nothing. For instance, if you have a bunch of integer values that are posted, you don’t need to use xss clean on them. Some of the forms I work on have a couple hundred or more fields. Running css clean on all of them doesn’t make sense.

Signature

Brian
Brian’s Web Design - Temecula
Community Auth - CodeIgniter Authentication Application

InsiteFX

Posted: 03 May 2012 07:16 AM

[ Ignore ] [ # 2 ] [ Rating: 0 ]

Joined: 2009-06-19
6267 posts

Most of the methods in CodeIgniter have a parameter to use xss_clean on input fields!

Signature

Ceritfied State of CT Computer Programming Teacher.
Custom Designed Icons, eBook Covers Software Boxes. CD, DVD Etc. New iPhone® Tab Bar Icons and iPhone® Applications Icons.

STOP! Before posting your questions, remember the WWW Golden rule:
What did you try? What did you get? What did you expect to get?

Input -> Controller | Processing -> Model | Output -> View