Solved: Re: From your eBook: Varnish and Security

Talesh · ‎03-09-2016

Hi Alan,

I'm back again to bug you about the architectural details of Magento 2. In your eBook you mentioned that Magento 2 supports Varnish without compromising on security. Can you give a quick summary of what measures it's taking to maintain a secure site when running behind Varnish or even point me to the files in the codebase that implement this part of the architecture so I can go poking around?

Thanks!

Disclaimer: this may or may not be... ok it is 100% related to a talk I am giving at Developers Paradise in Croatia next month

-Talesh

---------------------------------------------------
My Magento Security Podcast

akent99 · ‎03-09-2016

Gosh! Read my book already? The primary thing I was referring to was form keys. Magento 1 injected form keys into HTML pages, which made them hard to cache. We put a random number into each page which was POSTed with the form. It meant you could only do a POST if you just did a GET (which returned the form key). A common solution in M1 was to turn off form keys, making the HTML easier to cache.

M2 achieved the same goal without injecting content into the returned HTML. It used, ummmm, I think it might have been JavaScript and Cookies - slipped my mind at the moment. But it gave the additional level of security checking without modifying the HTML for each returned form. So the form can be cached by Varnish safely. I can dig up more details if you need them, I just remember the high level story. I also remember the brain twisting to make sure that it was really secure.

View solution in original post

akent99 · ‎03-09-2016

Gosh! Read my book already? The primary thing I was referring to was form keys. Magento 1 injected form keys into HTML pages, which made them hard to cache. We put a random number into each page which was POSTed with the form. It meant you could only do a POST if you just did a GET (which returned the form key). A common solution in M1 was to turn off form keys, making the HTML easier to cache.

M2 achieved the same goal without injecting content into the returned HTML. It used, ummmm, I think it might have been JavaScript and Cookies - slipped my mind at the moment. But it gave the additional level of security checking without modifying the HTML for each returned form. So the form can be cached by Varnish safely. I can dig up more details if you need them, I just remember the high level story. I also remember the brain twisting to make sure that it was really secure.

Talesh · ‎03-09-2016

Yes on the book! I like the top down learning sometimes. This is just enough for me to go on, as I know where to look, what to test and how to describe it.

It still sounds like it needs some VCL tweaking to be aware of how Magento 2 will be sending keys across for forms, but now that I know where to look I'll just fire up the loggers and look for the incoming requests and track back. Thanks again!

---------------------------------------------------
My Magento Security Podcast

akent99 · ‎03-09-2016

Please mark this as resolved if you are happy. (I think you are.)

Also, for the book, please consider leaving an honest review to help others make a decision. I put a price on it out of respect for other authors - I am not trying to undermine their living! Objective is to help people learn faster. If its useful, please share the love. (And if not, advice on how to improve future volumes welcome!)

akent99 · ‎03-09-2016

https://github.com/magento/magento2/issues/3707 sounded possibly interesting by the way on form keys. Yeah, a possible bug, but might give a lead.

Talesh · ‎03-10-2016

I think I've marked this topic as resolved. Not sure if there is something else to click on. As for the book review I'll definitely do so on Amazon and DM you any other feedback I have.

-Talesh.

---------------------------------------------------
My Magento Security Podcast