Skip to content

Commit

Permalink
feat: environment-specific Config\Security::$redirect
Browse files Browse the repository at this point in the history
  • Loading branch information
kenjis committed Mar 29, 2024
1 parent 9820c31 commit 00896cf
Show file tree
Hide file tree
Showing 4 changed files with 16 additions and 6 deletions.
4 changes: 3 additions & 1 deletion app/Config/Security.php
Original file line number Diff line number Diff line change
Expand Up @@ -79,8 +79,10 @@ class Security extends BaseConfig
* --------------------------------------------------------------------------
*
* Redirect to previous page with error on failure.
*
* @see https://codeigniter4.github.io/userguide/libraries/security.html#redirection-on-failure
*/
public bool $redirect = false;
public bool $redirect = (ENVIRONMENT === 'production');

/**
* --------------------------------------------------------------------------
Expand Down
3 changes: 3 additions & 0 deletions user_guide_src/source/changelogs/v4.5.0.rst
Original file line number Diff line number Diff line change
Expand Up @@ -196,6 +196,9 @@ Others
if the HTTP method is different.
- **Bootstrap:** The ``CodeIgniter\Boot`` class has been introduced, replacing
**system/bootstrap.php**.
- **Security:** ``Config\Security::$redirect`` is now, by default, environment-specific.
For production environment, changed to ``true`` but is still ``false`` for other
environments.

********
BREAKING
Expand Down
3 changes: 3 additions & 0 deletions user_guide_src/source/installation/upgrade_450.rst
Original file line number Diff line number Diff line change
Expand Up @@ -327,6 +327,9 @@ Others
- app/Config/Kint.php
- It no longer extends ``BaseConfig`` because enabling
:ref:`factories-config-caching` could cause errors.
- app/Config/Security.php
- The property ``$redirect`` has been changed to ``true`` in ``production``
environment.

All Changes
===========
Expand Down
12 changes: 7 additions & 5 deletions user_guide_src/source/libraries/security.rst
Original file line number Diff line number Diff line change
Expand Up @@ -130,15 +130,17 @@ may alter this behavior by editing the following config parameter value in
Redirection on Failure
----------------------

Since v4.3.0, when a request fails the CSRF validation check,
it will throw a SecurityException by default,
Starting with v4.5.0, when a request fails the CSRF validation check, by default,
the user is redirected to the previous page in production environment, or a
SecurityException is thrown in other environments.

.. note:: In production environment, when you use HTML forms, it is recommended
to enable this redirection for a better user experience.

If you want to make it redirect to the previous page,
change the following config parameter value in
**app/Config/Security.php**:
Upgrade users should check their configuration files.

If you want to make it redirect to the previous page, set the following config
parameter value to ``true`` in **app/Config/Security.php**:

.. literalinclude:: security/005.php

Expand Down

0 comments on commit 00896cf

Please sign in to comment.