cancel
Showing results for 
Search instead for 
Did you mean: 

From your eBook: Varnish and Security

SOLVED

From your eBook: Varnish and Security

Hi Alan,

 

I'm back again to bug you about the architectural details of Magento 2. In your eBook you mentioned that Magento 2 supports Varnish without compromising on security. Can you give a quick summary of what measures it's taking to maintain a secure site  when running behind Varnish or even point me to the files in the codebase that implement this part of the architecture so I can go poking around?

 

Thanks!


Disclaimer: this may or may not be... ok it is 100% related to a talk I am giving at Developers Paradise in Croatia next month Smiley Happy

 

-Talesh

---------------------------------------------------
My Magento Security Podcast
1 ACCEPTED SOLUTION

Accepted Solutions

Re: From your eBook: Varnish and Security

Gosh! Read my book already?  The primary thing I was referring to was form keys. Magento 1 injected form keys into HTML pages, which made them hard to cache. We put a random number into each page which was POSTed with the form. It meant you could only do a POST if you just did a GET (which returned the form key). A common solution in M1 was to turn off form keys, making the HTML easier to cache.

 

 

M2 achieved the same goal without injecting content into the returned HTML. It used, ummmm, I think it might have been JavaScript and Cookies - slipped my mind at the moment. But it gave the additional level of security checking without modifying the HTML for each returned form. So the form can be cached by Varnish safely. I can dig up more details if you need them, I just remember the high level story. I also remember the brain twisting to make sure that it was really secure.

View solution in original post

5 REPLIES 5

Re: From your eBook: Varnish and Security

Gosh! Read my book already?  The primary thing I was referring to was form keys. Magento 1 injected form keys into HTML pages, which made them hard to cache. We put a random number into each page which was POSTed with the form. It meant you could only do a POST if you just did a GET (which returned the form key). A common solution in M1 was to turn off form keys, making the HTML easier to cache.

 

 

M2 achieved the same goal without injecting content into the returned HTML. It used, ummmm, I think it might have been JavaScript and Cookies - slipped my mind at the moment. But it gave the additional level of security checking without modifying the HTML for each returned form. So the form can be cached by Varnish safely. I can dig up more details if you need them, I just remember the high level story. I also remember the brain twisting to make sure that it was really secure.

Re: From your eBook: Varnish and Security

Yes on the book! I like the top down learning sometimes. Smiley Very Happy This is just enough for me to go on, as I know where to look, what to test and how to describe it. 
 

It still sounds like it needs some VCL tweaking to be aware of how Magento 2 will be sending keys across for forms, but now that I know where to look I'll just fire up the loggers and look for the incoming requests and track back. Thanks again!

---------------------------------------------------
My Magento Security Podcast

Re: From your eBook: Varnish and Security

Please mark this as resolved if you are happy. (I think you are.)

 

Also, for the book, please consider leaving an honest review to help others make a decision. I put a price on it out of respect for other authors - I am not trying to undermine their living! Objective is to help people learn faster. If its useful, please share the love. (And if not, advice on how to improve future volumes welcome!)

Re: From your eBook: Varnish and Security

https://github.com/magento/magento2/issues/3707 sounded possibly interesting by the way on form keys. Yeah, a possible bug, but might give a lead.

Re: From your eBook: Varnish and Security

I think I've marked this topic as resolved. Not sure if there is something else to click on. As for the book review I'll definitely do so on Amazon and DM you any other feedback I have. 

 

-Talesh.

---------------------------------------------------
My Magento Security Podcast