Default setting for validate_formkey_checkout => 1

[kkrieger85]

After new installation there's a warning in Backend.

    <div class="notification-global notification-global-warning">
        <strong style="color:red">Important: </strong>
        <span>Formkey validation on checkout disabled. This may expose security risks.
        We strongly recommend to Enable Form Key Validation On Checkout in
        <a href="<?php echo $this->getSecurityAdminUrl(); ?>">Admin / Security Section</a>,
        for protect your own checkout process. </span>
    </div>

Is there a reason why the default setting should not be 1 (for yes, validate formkey)?

[colinmollenhour]

Probably just so that upgrades for existing users with modified template files don't get broken checkouts.

One way around this could be to add some code to one of the initial install-1.0.php files so that new installations get the value overridden and old installations do not.

[kkrieger85]

Agree with using an install script.

In general, I think, it would improve shop security. So we should force user to be more secure.