CiviCRM allows administrators to define custom profile-forms in which constituents enter their names, addresses, custom data, etc. CiviCRM is designed to embed all its forms within a CMS (such as Drupal, Joomla, or WordPress), but some administrators also need to embed profile-forms in an external site or custom HTML document. This has sometimes been accomplished with an "HTML Snippet" technique -- the bare, literal HTML code for a profile-form is manually copied and pasted to an external web site.
Unfortunately, this technique is incompatible with the "qfKey" security feature which prevents cross-site request forgery. Profile-forms had the "qfKey" security feature disabled. This constitutes a functionality-vs-security trade-off that some have found acceptable, but it is not appropriate or necessary for all organizations.
Beginning with 4.7.11+ and 4.6.21+, this compromise is no longer necessary -- the "qfKey" enforcement is now available but optional. Specifically:
- New CiviCRM installations will enable "qfKey" security for profiles by default. This is a more secure default that works for the majority of organizations.
- Existing CiviCRM installations will disable "qfKey" security for profiles by default. This is a more compatible default that ensures that existing customizations continue to work.
- When administrators review CiviCRM's self-diagnosis for potential security issues, it will display a warning if you have disabled "qfKey".
In 4.7.11+/4.6.21+, you can toggle this option by:
- Navigating to "Administer => System Settings => Misc"
- (OR) Modifying the setting "remote_profile_submissions"
Up through v4.6.20 and v4.7.10
v4.6.21+ and v4.7.11+
Any ONE of the following:
- Upgrade to CiviCRM v4.7.11+ or v4.6.21+
- Backport PR #8925 and #8946 (or: #8931 + #8947)
Additionally, if your system has used the "HTML Snippet" technique, then you should evaluate measures such as:
- Configure HTTP firewalling to prevent POSTs to CiviCRM from unrecognized referrers
- Replace the "HTML Snippet" with a custom integration that uses a more secure data-flow based on APIv3 and REST.
- Lateral Security
- Pradeep Nayak (JMA Consulting)
- Chris Burgess (Fuzion)
- Tim Otten (CiviCRM)
- Seamus Lee (Australian Greens)