[Owasp-leaders] Protecting Django apps from CSRF
matt.tesauro at owasp.org
Wed May 29 02:06:56 UTC 2013
My apologies for the delayed response - I got buried with some work items.
Just wanted to thank all those that replied to my query - I got some great
replies from the list which is one of the cool things about hanging out
with this community.
-- Matt Tesauro
OWASP WTE Project Lead
http://AppSecLive.org - Community and Download site
OWASP OpenStack Security Project Lead
On Fri, May 17, 2013 at 8:19 AM, Martin Holst Swende <
martin.holst_swende at owasp.org> wrote:
> On 05/16/2013 05:53 PM, Matt Tesauro wrote:
> While I'm up to my ears with Python at Rackspace & with OpenStack, I've
> not used Django for any of the code I've written recently - or actually
> I'm got an app which is basically using the Django CSRF protection as
> outlined here:
> for both "normal" web forms as well as AJAX calls.
> I'm curious about anyone's experience with the Django CSRF protection,
> how well it works and any "gotchas", weakness or other issues with Django's
> CSRF protection.
> It accepts any value for csrf_token, if it comes in both cookie and form
> (double submit).
> Gotchas :
> This means that a XSS in a sibling or child-domain is a security hole,
> since that can be used to set cookies.
> - *But* it also checks referer, so that won't work.
> - *However*, referer is fragile on http-sites (since https wont send
> referer), so that part is disabled by default if the site is served over
> So, if the site is https-only, as I understand it it's quite ok. Less so
> on http-sites. Please correct me if I'm wrong.
> /Martin Swende
> List or direct replies appreciated.
> Thanks in advance.
> -- Matt Tesauro
> OWASP WTE Project Lead
> http://AppSecLive.org - Community and Download site
> OWASP OpenStack Security Project Lead
> OWASP-Leaders mailing listOWASP-Leaders at lists.owasp.orghttps://lists.owasp.org/mailman/listinfo/owasp-leaders
-------------- next part --------------
An HTML attachment was scrubbed...
More information about the OWASP-Leaders