Increase front office security option

[polarisham]

In the preference tab there is an an option to "increase front office security", "Enable or disable token on the Front Office in order to improve PrestaShop security". If I enable are there any potential problems, is it best left disabled or enabled?

.

[shokinro]

If I enable are there any potential problems, is it best left disabled or enabled?

I think it is enabled by default. You can disabled it if you want.
But I suggest to leave it enabled.

[polarisham]

The NO box on mine is ticked as default does this make it more secure or less secure, as the way I read it is the token is not disabled?

[shokinro]

If "NO" is ticked, it is less secure, it is better to tick "YES".

[noesac]

Can someone please explain what this actually does? It just seems a bit mysterious.

Where can it potentially cause problems? I would like to focus my testing in those areas.

I'm worried it will cause lots of SSL / payment verification issues!

[ebuildy]

Hi noesac, when you enable this security option, in addition on COOKIE, Prestashop will check for a data called "token". This data will be sent to the server via GET or POST (in addition of COOKIE) when user does a cart operation (add,remove,checkout...)

 

This is not SSL at all, but pay attention to not use it if you have a static cache such as a squid proxy, because the token is stored on the HTML page itself !

 

Not sure its a bug, but even if you don't enable this function, the token is here, but not used !