Home About News Products Blog

Magento 1 - CSRF



Magento 1 has added a CSRF token to urls throughout the Magento 1 codebase, Whilst a good intention these tokens firstly do not provide additional protection / security function on most of the locations they are implemented.
Secondly and more importantly, Magento has implemented CSRF tokens in areas that prevent HTML caching for being applied across most pages of the site.

For discussion on CSRF and why it’s being misapplied in Magento see this post from our head of security:

To enable HTML caching in Magento you need to be able to work around the CSRF limitation. This can involve application code changes (to move CSRF into a cookie for example) or alternatively, In Magento EE 14.2.2 and CE functionality was introduced to stop breaking the ability to cache HTML content. Disable CSRF here:

A novel way to cache HTML