WPCF7_VERIFY_NONCE default value

  • Hi there,

    I was wondering about the recent update to 4.9. In the patch notes it says that you changed the default of WPCF7_VERIFY_NONCE to false.

    I assume that the constant controls the usage of request tokens to prevent CSRF-attacks? Might I ask why you changed it to be off as default?

    Cheers!

Viewing 1 replies (of 1 total)
  • Thread Starter winnephew

    (@winnephew)

    Sorry, I just found the longer patch notes:

    A nonce is a randomly generated string used for security purposes. Contact Form 7 verifies a nonce to ensure that a form submission has correctly been sent from the contact form and not faked by a spammer.

    You can set the WPCF7_VERIFY_NONCE constant to determine whether to verify nonces. In the past, the default value was true. Contact Form 7 4.9 changes the default value to false because any good effect expected from a nonce is limited when it is used for a publicly-open contact form that anyone can submit, and undesirable side effects have been seen in some cases.

    You can continue to use nonces by setting the WPCF7_VERIFY_NONCE constant to true explicitly, or by using the new wpcf7_verify_nonce filter hook like the following:

    1
    add_filter( ‘wpcf7_verify_nonce’, ‘__return_true’ );
    Note that the subscribers-only mode needs nonces to work and a nonce is used in the contact form in the subscribers-only mode regardless of the value of the WPCF7_VERIFY_NONCE constant.

    To be honest, I’m still confused about the explanation. I wouldn’t recommend turning this off by default especially since your plugin is so widely used and this is an important security feature for any form. This could as a side-effect open up many sites using your plugin for CSRF.

    • This reply was modified 7 years, 2 months ago by winnephew.
Viewing 1 replies (of 1 total)
  • The topic ‘WPCF7_VERIFY_NONCE default value’ is closed to new replies.