Magento Admin – Is Adding Secret Key to URLs Necessary?

admin

I found this 'yes' option is default when I install

Admin – Add Secret Key to URLs – Yes

whenever I use admin, the url seems so complicate due to this option.

e.g.) http://my-domain.com/index.php/mydomain_admin/system_config/edit/section/admin/key/d7b0ccc20349109f7d533de7bea8ff9b/

Using this option have some benefit? is it effect some admin speed performance badly?

Do you recommend to set 'yes' to this option and can I know the reason?

Best Answer

This option is necessary to prevent against CSRF attacks:

Cross-site request forgery, also known as a one-click attack or session riding and abbreviated as CSRF (sometimes pronounced sea-surf[1]) or XSRF, is a type of malicious exploit of a website whereby unauthorized commands are transmitted from a user that the website trusts.[2] Unlike cross-site scripting (XSS), which exploits the trust a user has for a particular site, CSRF exploits the trust that a site has in a user's browser.

There is no speed benefit to disabling this option and it opens your store up to potential attack. I recommend to leave this option enabled.

Sources:

_{http://en.wikipedia.org/wiki/Cross-site_request_forgery}

Best Answer

Related Solutions

Magento2 – Custom Admin Controller Redirect to Dashboard

Magento 1.9 – Invalid Secret Key Error, Please Refresh the Page

Related Topic