symfony · javiereguiluz · Jan 26, 2021 · Jan 23, 2021
diff --git a/security/csrf.rst b/security/csrf.rst
@@ -85,7 +85,7 @@ this can be customized on a form-by-form basis::
 
     // src/Form/TaskType.php
     namespace App\Form;
-    
+
     // ...
     use App\Entity\Task;
     use Symfony\Component\OptionsResolver\OptionsResolver;
@@ -162,4 +162,19 @@ to check its validity::
         }
     }
 
+CSRF Tokens and Compression Side-Channel Attacks
+------------------------------------------------
+
+`BREACH`_ and `CRIME`_ are security exploits against HTTPS when using HTTP
+compression. Attacker can leverage information leaked by compression to recover
+targeted parts of the plaintext. To mitigate these attacks, and prevent an
+attacker from guessing the CSRF tokens, a random mask is prepended to the token
+and used to scramble it.
+
+.. versionadded:: 5.3
+
+    The randomization of tokens was introduced in Symfony 5.3
+
 .. _`Cross-site request forgery`: https://en.wikipedia.org/wiki/Cross-site_request_forgery
+.. _`BREACH`: https://en.wikipedia.org/wiki/BREACH
+.. _`CRIME`: https://en.wikipedia.org/wiki/CRIME