[Owasp-leaders] Protecting Django apps from CSRF

John Steven John.Steven at owasp.org
Thu May 16 18:20:58 UTC 2013


Matt,

An email is not a befitting format for a good answer. And, the
documentation itself is actually really good, by comparison. Shockingly so
for a framework, IMO.
https://docs.djangoproject.com/en/dev/ref/contrib/csrf/

Notwithstanding…

1) XMLHttpRequests have already been covered by a previous
    post I believe. More info present in link provided above.

2) Secure by default -

Change CSRF_COOKIE_SECURE --> True

Change CSRF_COOKIES_HTTPONLY --> True

prefer middleware_class inclusion rather than  csrf_protect()
wrapping…discretionary application of the decorator pattern

prefer RequestContext rather than manual import for the
view handlers

3) Set CSRF_COOKIE_DOMAIN and understand limitations:

https://docs.djangoproject.com/en/dev/ref/contrib/csrf/#csrf-limitations

…there's more work to do:

4) Understand the scheme relies (only) on referrer checking to
     prevent MitM.

5) Django CSRF tokens have no (effective) expiry. Fixing this,
    I recall, requires a code customization.

As with any framework there are more positive/negative standards than this
and the standards tend to be version-specific.

Standard CSRF disclaimers would apply: do not rely on tokens for crossing
privilege / sensitivity boundaries and so forth.

-jOHN
-- 
Phone: 703.727.4034
Rss: http://feeds.feedburner.com/M1splacedOnTheWeb

On Thu, May 16, 2013 at 11:53 AM, Matt Tesauro <matt.tesauro at owasp.org>wrote:

> While I'm up to my ears with Python at Rackspace & with OpenStack, I've
> not used Django for any of the code I've written recently - or actually
> ever.
>
> I'm got an  app which is basically using the Django CSRF protection as
> outlined here:
> https://docs.djangoproject.com/en/dev/ref/contrib/csrf/
> for both "normal" web forms as well as AJAX calls.
>
> I'm curious about anyone's experience with the Django CSRF protection, how
> well it works and any "gotchas", weakness or other issues with Django's
> CSRF protection.
>
> List or direct replies appreciated.
>
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://lists.owasp.org/pipermail/owasp-leaders/attachments/20130516/5d14a070/attachment.html>


More information about the OWASP-Leaders mailing list