Audit
symfony-csrf-protection-disabled
symfony-csrf-protection-disabled
CSRF protection is disabled for this configuration. This is a security risk. Make sure that it is safe or consider setting csrf_protection
property to true
.
Likelihood: LOW
Confidence: LOW
CWE:
- CWE-352: Cross-Site Request Forgery (CSRF)
OWASP:
- A01:2021 - Broken Access Control
symfony-permissive-cors
symfony-permissive-cors
Access-Control-Allow-Origin response header is set to ”*”. This will disable CORS Same Origin Policy restrictions.
Likelihood: LOW
Confidence: LOW
CWE:
- CWE-346: Origin Validation Error
OWASP:
- A07:2021 - Identification and Authentication Failures
symfony-non-literal-redirect
symfony-non-literal-redirect
The redirect()
method does not check its destination in any way. If you redirect to a URL provided by end-users, your application may be open to the unvalidated redirects security vulnerability. Consider using literal values or an allowlist to validate URLs.
Likelihood: LOW
Confidence: LOW
CWE:
- CWE-601: URL Redirection to Untrusted Site (‘Open Redirect’)
OWASP:
- A01:2021 - Broken Access Control