From 7facb1db477b048e685c4029ef7417301c868189 Mon Sep 17 00:00:00 2001 From: Laurent Destailleur Date: Mon, 7 Sep 2020 20:59:29 +0200 Subject: [PATCH] Update security scope --- SECURITY.md | 7 ++++--- 1 file changed, 4 insertions(+), 3 deletions(-) diff --git a/SECURITY.md b/SECURITY.md index ac9ccbc677f..d0ab526b012 100644 --- a/SECURITY.md +++ b/SECURITY.md @@ -64,9 +64,10 @@ No vulnerability disclosure, including partial is allowed for the moment. ONLY vulnerabilities discovered, when the following setup on tested platform is used, are accepted: -* $dolibarr_main_prod must be 1 into conf.php -* $dolibarr_nocsrfcheck must not be set to 0 (should be 1 by default) into conf.php -* The constant MAIN_SECURITY_CSRF_WITH_TOKEN must be set to 1 into backoffice menu Home - Setup - Other (this value should be hard switched soon to 1 by default) +* $dolibarr_main_prod must be set to 1 into conf.php +* $dolibarr_nocsrfcheck must be kept to the default value 1 into conf.php +* The module DebugBar must NOT be enabled (by default, this module is not enabled) +* The constant MAIN_SECURITY_CSRF_WITH_TOKEN must be set to 1 into backoffice menu Home - Setup - Other (this value should be switched soon to 1 by default) * ONLY security reports on "stable" modules are allowed (troubles into "experimental" and "developement" modules are not accepted). Scope is the web application (back office) and the APIs.