SymfonyWorld Online 2021 Winter Edition December 9 – 10, 2021 100% Online 25 talks and 10 workshops

New in Symfony 5.3: Better Protection Against BREACH Attack

Symfony 5.3 is backed by JoliCode. JoliCode is a team of passionate developers and open-source lovers, with a strong expertise in PHP & Symfony technologies. They can help you build your projects using state-of-the-art practices.

Contributed by
Jérémy Derussé
in #39919.

BREACH is a security exploit against HTTPS when using HTTP compression. This kind of compression side-channel attacks are used to read some data by knowing only the size of the compressed data.

Your site is at risk if attackers can read the size of your encrypted traffic and can also make any number of HTTP requests with CSRF tokens. The traditional way of mitigating this attack was to disable HTTP compression, which hurts performance significantly.

Another possible solution is to ensure that CSRF tokens include some randomness, to prevent repetitive output in your responses. That’s why in Symfony 5.3 CSRF tokens are automatically randomized.

This randomization process is transparent to the application, so you don’t need to configure anything and you don’t need to change your application code. If you disabled compression when using HTTPS because of this attack, upgrade to Symfony 5.3 and enable compression again to improve your site performance.

This is yet another reason why using a professional framework like Symfony is better in the long run. Symfony will protect your application and your users against many common security vulnerabilities, even those you are not aware of.

Help the Symfony project!

As with any Open-Source project, contributing code or documentation is the most common way to help, but we also have a wide range of sponsoring opportunities.

Comments

Good to hear!
Can't wait!!
🎉🎉🎉
Bravo !
Chinese translation of this article (本文中文翻译): https://phpzlc.gitee.io/blog/9.html
This is very usesul, thank you !

Comments are closed.

To ensure that comments stay relevant, they are closed for old posts.