diff --git a/config/packages/csrf.yaml b/config/packages/csrf.yaml index 40d4040..233488a 100644 --- a/config/packages/csrf.yaml +++ b/config/packages/csrf.yaml @@ -1,11 +1,10 @@ # Enable stateless CSRF protection for forms and logins/logouts framework: - form: - csrf_protection: - token_id: submit - - csrf_protection: - stateless_token_ids: - - submit - - authenticate - - logout +# form: +# csrf_protection: +# token_id: submit +# csrf_protection: +# stateless_token_ids: +# - submit +# - authenticate +# - logout diff --git a/config/packages/framework.yaml b/config/packages/framework.yaml index 49e7c57..ddbf4c4 100644 --- a/config/packages/framework.yaml +++ b/config/packages/framework.yaml @@ -15,6 +15,15 @@ framework: storage_factory_id: session.storage.factory.native save_path: '%kernel.project_dir%/var/sessions/%kernel.environment%' +when@prod: + framework: + session: + handler_id: null + cookie_secure: true + cookie_samesite: lax + storage_factory_id: session.storage.factory.native + save_path: '%kernel.project_dir%/var/sessions/%kernel.environment%' + #esi: true #fragments: true diff --git a/public/index.php b/public/index.php index 89cccd2..7161db3 100644 --- a/public/index.php +++ b/public/index.php @@ -7,7 +7,7 @@ require_once dirname(__DIR__).'/vendor/autoload_runtime.php'; return function (array $context) { if ($trustedProxies = $context['TRUSTED_PROXIES'] ?? $_ENV['TRUSTED_PROXIES'] ?? false) { - Request::setTrustedProxies(explode(',', $trustedProxies), Request::HEADER_X_FORWARDED_FOR | Request::HEADER_X_FORWARDED_PROTO | Request::HEADER_X_FORWARDED_HOST | Request::HEADER_X_FORWARDED_PORT); + Request::setTrustedProxies(explode(',', $trustedProxies), Request::HEADER_X_FORWARDED_FOR | Request::HEADER_X_FORWARDED_PROTO | Request::HEADER_X_FORWARDED_HOST | Request::HEADER_X_FORWARDED_PORT | Request::HEADER_X_FORWARDED_PREFIX); } if ($trustedHosts = $context['TRUSTED_HOSTS'] ?? $_ENV['TRUSTED_HOSTS'] ?? false) {