From 074e8b2031c4340ad42b871c773a82f56e5492ed Mon Sep 17 00:00:00 2001 From: Laurent Destailleur Date: Sun, 19 Sep 2021 14:53:09 +0200 Subject: [PATCH] Update doc to prepare MAIN_SECURITY_CSRF_WITH_TOKEN to 2 by default --- SECURITY.md | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/SECURITY.md b/SECURITY.md index d27749eb203..61f4a392db8 100644 --- a/SECURITY.md +++ b/SECURITY.md @@ -54,7 +54,7 @@ ONLY vulnerabilities discovered, when the following setup on test platform is us * $dolibarr_main_prod must be set to 1 into conf.php * $dolibarr_nocsrfcheck must be kept to the value 0 into conf.php (this is the default value) * $dolibarr_main_force_https must be set to something else than 0. -* The constant MAIN_SECURITY_CSRF_WITH_TOKEN must be set to 1 into backoffice menu Home - Setup - Other (this protection should be set to 1 soon by default) +* The constant MAIN_SECURITY_CSRF_WITH_TOKEN must be set to 2 into backoffice menu Home - Setup - Other (this protection should be set to 2 soon by default) * The module DebugBar and ModuleBuilder must NOT be enabled (by default, these modules are not enabled. They are developer tools) * ONLY security reports on modules provided by default and with the "stable" status are valid (troubles into "experimental", "developement" or external modules are not valid vulnerabilities). * The root of web server must link to htdocs and the documents directory must be outside of the web server root (this is the default when using the default installer but may differs with external installer).