Provides for creating independent csrf tokens for the http and https schemes
This package enables two separate cookie tokens on each request, bound to the scheme:
a SECURE HTTPS only cookie
a mixed-use insecure http token (which is also available on https).
If the current scheme is HTTPS:
only the SECURE HTTPS token will be considered
HOWEVER calls to generate a new token will reset both the SECURE HTTPS and the insecure http tokens.
If the current scheme is insecure http:
the SECURE HTTPS tokens are ignored as they are not even available, and only the insecure http token is considered.
This package is currently supported under Python2.7 and 3.8; other 3.x versions may work.
This package should work on Pyramid1.x and 2.x
If an application supports both HTTP and HTTPS endpoints, this package simplifies isolating the CSRF data from both.
Is this necessary?
I’m not sure, but have decided to err on the side of caution.
HTTP traffic is sent in plaintext and capable of being intercepted by a man-in-the-middle or network packet sniffing.
It seems plausible that someone might read a csrf token via HTTP and use that in attempts to compromise HTTPS endpoints in a mixed use environment.
A better option is to only use HTTPS tokens and forms - but that is not always an option.
just add to your ENVIRONMENT.ini file, or similar application configuration.
debugtoolbar.includes = pyramid_csrf_multi_scheme.debugtoolbar
Tthe debugtoolbar will now have a CSRFMultiScheme panel that has the following info:
configuration info on the cookie names
incoming request csrf values
outgoing response csrf values
Most of this is just code lightly edited from Pyramid, and therefore available under Pyramid’s licensing terms.
Release history Release notifications | RSS feed
Download the file for your platform. If you're not sure which to choose, learn more about installing packages.
Hashes for pyramid_csrf_multi_scheme-0.1.1.tar.gz