Skip to main content

Provides for creating independent csrf tokens for the http and https schemes

Project description

Build Status

This package enables two separate cookie tokens on each request, bound to the scheme:

  • a SECURE HTTPS only cookie

  • a mixed-use insecure http token (which is also available on https).

If the current scheme is HTTPS:

  • only the SECURE HTTPS token will be considered

  • HOWEVER calls to generate a new token will reset both the SECURE HTTPS and the insecure http tokens.

If the current scheme is insecure http:

  • the SECURE HTTPS tokens are ignored as they are not even available, and only the insecure http token is considered.

Python Versions

This package is currently supported under Python2.7 and 3.8; other 3.x versions may work.

This package should work on Pyramid1.x and 2.x

Why?

If an application supports both HTTP and HTTPS endpoints, this package simplifies isolating the CSRF data from both.

Is this necessary?

I’m not sure, but have decided to err on the side of caution.

HTTP traffic is sent in plaintext and capable of being intercepted by a man-in-the-middle or network packet sniffing.

It seems plausible that someone might read a csrf token via HTTP and use that in attempts to compromise HTTPS endpoints in a mixed use environment.

A better option is to only use HTTPS tokens and forms - but that is not always an option.

debugtoolbar support!

just add to your ENVIRONMENT.ini file, or similar application configuration.

debugtoolbar.includes = pyramid_csrf_multi_scheme.debugtoolbar

Tthe debugtoolbar will now have a CSRFMultiScheme panel that has the following info:

  • configuration info on the cookie names

  • incoming request csrf values

  • outgoing response csrf values

License

Most of this is just code lightly edited from Pyramid, and therefore available under Pyramid’s licensing terms.

Project details


Download files

Download the file for your platform. If you're not sure which to choose, learn more about installing packages.

Source Distribution

pyramid_csrf_multi_scheme-0.1.1.tar.gz (9.6 kB view details)

Uploaded Source

File details

Details for the file pyramid_csrf_multi_scheme-0.1.1.tar.gz.

File metadata

  • Download URL: pyramid_csrf_multi_scheme-0.1.1.tar.gz
  • Upload date:
  • Size: 9.6 kB
  • Tags: Source
  • Uploaded using Trusted Publishing? No
  • Uploaded via: twine/3.2.0 pkginfo/1.5.0.1 requests/2.24.0 setuptools/47.1.0 requests-toolbelt/0.9.1 tqdm/4.50.2 CPython/3.8.5

File hashes

Hashes for pyramid_csrf_multi_scheme-0.1.1.tar.gz
Algorithm Hash digest
SHA256 f801d5e882ee1ecf4599f7b93a700d93cae22fb7700abbda003fea339cf9d391
MD5 1865dce40514c58cfafe5efa36ffe449
BLAKE2b-256 9833c2c41fc84f81bd8e709213a9a2274cc50654c69b805583a225f7dbb63c6d

See more details on using hashes here.

Supported by

AWS AWS Cloud computing and Security Sponsor Datadog Datadog Monitoring Fastly Fastly CDN Google Google Download Analytics Microsoft Microsoft PSF Sponsor Pingdom Pingdom Monitoring Sentry Sentry Error logging StatusPage StatusPage Status page