TODO
Project description
django_referer_csrf
This project has 2 goals:
- Simplifiy django's CSRF protection so that developers don't need to worry about the token
- Make it easier for view code to invoke CSRF protection dynamically
The token isn't needed
https://security.stackexchange.com/a/197269
On https sites, django's csrf protection requires that the request's referer header matches the request's host header. This check makes the entire CSRF token redundant. The token check provides no extra security on top of the referer check.
Django skips the referer check on non-https sites, which is somewhat advantageous (it means that users who configure their web browsers not submit a referer header can still submit forms).
Our validator actually looks for a valid origin header or referer header. Modern browsers follow the (newish) spec, which is to send an origin header with every request other than head/get. This means that if users have the referer header disabled, they can still pass our CSRF check.
Usage
pip install django_referer_csrf- in your
MIDDLEWAREsetting, replacedjango.middleware.csrf.CsrfViewMiddlewarewithdjango_referer_csrf.Middleware
With this middleware, you can still use Djangos's csrf_exempt decorators.
If you want to apply the CSRF protection based on dynamic conditions in view code, just check to see what the Middleware.process_view() does and replicate that.
Download files
Download the file for your platform. If you're not sure which to choose, learn more about installing packages.
Source Distribution
Built Distribution
Filter files by name, interpreter, ABI, and platform.
If you're not sure about the file name format, learn more about wheel file names.
Copy a direct link to the current filters
File details
Details for the file django_referer_csrf-0.2.0.tar.gz.
File metadata
- Download URL: django_referer_csrf-0.2.0.tar.gz
- Upload date:
- Size: 2.9 kB
- Tags: Source
- Uploaded using Trusted Publishing? No
- Uploaded via: twine/3.8.0 pkginfo/1.9.6 readme-renderer/34.0 requests/2.26.0 requests-toolbelt/0.10.1 urllib3/1.26.7 tqdm/4.64.1 importlib-metadata/4.8.3 keyring/23.4.1 rfc3986/1.5.0 colorama/0.4.5 CPython/3.6.15
File hashes
| Algorithm | Hash digest | |
|---|---|---|
| SHA256 |
0b2ddfec35dc03a3af8ad978ed1239752381644f51fbf2cbe20c9e823c9fcf11
|
|
| MD5 |
6f5580ad147c31eb563983009de9008e
|
|
| BLAKE2b-256 |
3355fa703513baa34b9e05f7626e6174d994abd30eb3216bb47f82ae8837cd55
|
File details
Details for the file django_referer_csrf-0.2.0-py3-none-any.whl.
File metadata
- Download URL: django_referer_csrf-0.2.0-py3-none-any.whl
- Upload date:
- Size: 4.7 kB
- Tags: Python 3
- Uploaded using Trusted Publishing? No
- Uploaded via: twine/3.8.0 pkginfo/1.9.6 readme-renderer/34.0 requests/2.26.0 requests-toolbelt/0.10.1 urllib3/1.26.7 tqdm/4.64.1 importlib-metadata/4.8.3 keyring/23.4.1 rfc3986/1.5.0 colorama/0.4.5 CPython/3.6.15
File hashes
| Algorithm | Hash digest | |
|---|---|---|
| SHA256 |
ac209172d56951aaf537745db99644e90ced4090ef45760462537e0846e1ac38
|
|
| MD5 |
9b38b1ecaaaef1f8e211d5c77a2a8076
|
|
| BLAKE2b-256 |
fa79395a33188802e01b313a5b0f071f4d311a6182f1580e2916e53ed7c99468
|
