Safe Mode: Relaxing Twig's Security Policy

If you are using “Safe Mode” with October CMS, you may notice that the Twig environment becomes very strict and will not allow methods to be called on objects. This policy is used to protect the Twig environment from calling PHP code and potentially attacking the server.

This error may appear if you enable safe mode and see this error in your codebase:

  • Twig\Sandbox\SecurityNotAllowedMethodError: Calling any method on “…” is blocked in “…”

This approach is called an allow-list (aka white-list) Twig security policy and applies when using the safe mode configuration (disabled by default) or when using the system Twig engine (mail templates).

Switching to a Block-List (V1 Security)

You can switch to the block-list (aka black-list) security policy with the CMS_SECURITY_POLICY_V1 environment variable.


Make sure you have the following configuration in the config/cms.php file:

| V1 Security Policy
| When using safe mode configuration, the Twig sandbox becomes very strict and
| uses an allow-list to protect calling unapproved methods. Instead, you may
| use V1, which is a more relaxed policy that uses a block-list, it blocks
| most of the unsecure methods but is not as secure as an allow-list.

'security_policy_v1' => env('CMS_SECURITY_POLICY_V1', false),

To hard code the value just set it to true:

'security_policy_v1' => true,