[Owasp-leaders] Protecting Django apps from CSRF

John Steven John.Steven at owasp.org
Thu May 16 18:20:58 UTC 2013


An email is not a befitting format for a good answer. And, the
documentation itself is actually really good, by comparison. Shockingly so
for a framework, IMO.


1) XMLHttpRequests have already been covered by a previous
    post I believe. More info present in link provided above.

2) Secure by default -



prefer middleware_class inclusion rather than  csrf_protect()
wrapping…discretionary application of the decorator pattern

prefer RequestContext rather than manual import for the
view handlers

3) Set CSRF_COOKIE_DOMAIN and understand limitations:


…there's more work to do:

4) Understand the scheme relies (only) on referrer checking to
     prevent MitM.

5) Django CSRF tokens have no (effective) expiry. Fixing this,
    I recall, requires a code customization.

As with any framework there are more positive/negative standards than this
and the standards tend to be version-specific.

Standard CSRF disclaimers would apply: do not rely on tokens for crossing
privilege / sensitivity boundaries and so forth.

Phone: 703.727.4034
Rss: http://feeds.feedburner.com/M1splacedOnTheWeb

On Thu, May 16, 2013 at 11:53 AM, Matt Tesauro <matt.tesauro at owasp.org>wrote:

> While I'm up to my ears with Python at Rackspace & with OpenStack, I've
> not used Django for any of the code I've written recently - or actually
> ever.
> I'm got an  app which is basically using the Django CSRF protection as
> outlined here:
> https://docs.djangoproject.com/en/dev/ref/contrib/csrf/
> for both "normal" web forms as well as AJAX calls.
> I'm curious about anyone's experience with the Django CSRF protection, how
> well it works and any "gotchas", weakness or other issues with Django's
> CSRF protection.
> List or direct replies appreciated.
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://lists.owasp.org/pipermail/owasp-leaders/attachments/20130516/5d14a070/attachment.html>

More information about the OWASP-Leaders mailing list