Howdy, Stranger!

It looks like you're new here. If you want to get involved, click one of these buttons!

Sign In with Google Sign In with OpenID

Two security questions

edited October 2013 in Framework

First, how can I avoid csrf attacks? It seems not mentioned in the documentation.

Second, I saw some other frameworks or cms put a blank html file named "index.html" in folders to prevent visitors from listing files. Is this necessary?



  • When the Form class generates a form, it automatically injects a token into it to protect against CSRF attacks. So as long as you build your form with the Form class, you should be safe.

    As for blank index.html files, Elefant does it a bit differently and relies on server configuration. If you're using Nginx, we use the following configuration:

    location ^~ /conf/ {
        deny all;
        return 403;
    location ~ ^/(cache|apps|tests)/.*\.(php|sql)$ {
        deny all;
        return 403;

    Using Apache, we put .htaccess files in the same folders to deny access.

  • Thanks :)

Sign In or Register to comment.