Project description

django_referer_csrf

This project has 2 goals:

Simplifiy django's CSRF protection so that developers don't need to worry about the token
Make it easier for view code to invoke CSRF protection dynamically

The token isn't needed

https://security.stackexchange.com/a/197269

On https sites, django's csrf protection requires that the request's referer header matches the request's host header. This check makes the entire CSRF token redundant. The token check provides no extra security on top of the referer check.

Django skips the referer check on non-https sites, which is somewhat advantageous (it means that users who configure their web browsers not submit a referer header can still submit forms).

Our validator actually looks for a valid origin header or referer header. Modern browsers follow the (newish) spec, which is to send an origin header with every request other than head/get. This means that if users have the referer header disabled, they can still pass our CSRF check.

Usage

pip install django_referer_csrf
in your MIDDLEWARE setting, replace django.middleware.csrf.CsrfViewMiddleware with django_referer_csrf.Middleware

With this middleware, you can still use Djangos's csrf_exempt decorators.

If you want to apply the CSRF protection based on dynamic conditions in view code, just check to see what the Middleware.process_view() does and replicate that.

Project details

These details have not been verified by PyPI

Project links

Homepage

Release history Release notifications | RSS feed

This version

0.1.0

Oct 31, 2023

0.0.1

Jun 29, 2021

0.0.0

Mar 24, 2020

Download files

Download the file for your platform. If you're not sure which to choose, learn more about installing packages.

Source Distribution

django_referer_csrf-0.1.0.tar.gz (2.9 kB view details)

Uploaded Oct 31, 2023 Source

Built Distribution

django_referer_csrf-0.1.0-py2-none-any.whl (4.7 kB view details)

Uploaded Oct 31, 2023 Python 2

File details

Details for the file django_referer_csrf-0.1.0.tar.gz.

File metadata

Download URL: django_referer_csrf-0.1.0.tar.gz
Upload date: Oct 31, 2023
Size: 2.9 kB
Tags: Source
Uploaded using Trusted Publishing? No
Uploaded via: twine/3.8.0 pkginfo/1.9.6 readme-renderer/34.0 requests/2.26.0 requests-toolbelt/0.10.1 urllib3/1.26.7 tqdm/4.64.1 importlib-metadata/4.8.3 keyring/23.4.1 rfc3986/1.5.0 colorama/0.4.5 CPython/3.6.15

File hashes

Hashes for django_referer_csrf-0.1.0.tar.gz
Algorithm	Hash digest
SHA256	`8d22c5f91710b2392d7450377b7ace7fb038458146cf898805db52224eb5f1e5`
MD5	`ffc5b7c7e56bb70d5bad0347764dc605`
BLAKE2b-256	`20a7aa812b78e458e32e5f94d1c9e231679186efaffccbd90f77d638fca2c6e0`

See more details on using hashes here.

File details

Details for the file django_referer_csrf-0.1.0-py2-none-any.whl.

File metadata

Download URL: django_referer_csrf-0.1.0-py2-none-any.whl
Upload date: Oct 31, 2023
Size: 4.7 kB
Tags: Python 2
Uploaded using Trusted Publishing? No
Uploaded via: twine/3.8.0 pkginfo/1.9.6 readme-renderer/34.0 requests/2.26.0 requests-toolbelt/0.10.1 urllib3/1.26.7 tqdm/4.64.1 importlib-metadata/4.8.3 keyring/23.4.1 rfc3986/1.5.0 colorama/0.4.5 CPython/3.6.15

File hashes

Hashes for django_referer_csrf-0.1.0-py2-none-any.whl
Algorithm	Hash digest
SHA256	`75dd4529477763d426124ef5190a11b68e2ca50c0c8aad4164caf1fd08b6058b`
MD5	`6afc9dd4a18c8dee03ed39fd834382ed`
BLAKE2b-256	`2972dfa1c04b898eed8244f6b1e241e3f62649d0402b38c7c79404c1bb3c3c75`