Opened 6 weeks ago
Closed 6 weeks ago
#35796 closed New feature (wontfix)
Add setting to sign CSRF cookie
Reported by: | Benjamin Zagorsky | Owned by: | |
---|---|---|---|
Component: | CSRF | Version: | dev |
Severity: | Normal | Keywords: | csrf cookie signing |
Cc: | Triage Stage: | Unreviewed | |
Has patch: | no | Needs documentation: | no |
Needs tests: | no | Patch needs improvement: | no |
Easy pickings: | no | UI/UX: | no |
Description
Django should have a setting CSRF_COOKIE_SIGNED
that uses the cookie signing infrastructure to sign the CSRF cookie. This would enable sites running on a subdomain of a shared domain name (ex. [SUBDOMAIN].herokuapp.com) to have protection from cookie tampering (reducing the caveat currently under https://docs.djangoproject.com/en/5.1/ref/csrf/#csrf-limitations).
This setting should initially default to False
for backwards comparability, although this could be changed in a future major release.
Change History (1)
comment:1 by , 6 weeks ago
Component: | Core (Other) → CSRF |
---|---|
Easy pickings: | unset |
Keywords: | signing added |
Resolution: | → wontfix |
Status: | new → closed |
Hello Benjamin!
Adding a new setting to Django is quite controversial, and something that we try to avoid. Because of that, this requires an explicit agreement with the community. Besides the new setting proposal, I do understand that this report comes along with a new feature request, which would be adding "automatic" CSRF cookie signing to Django. For cases like this, the recommended path forward is to first propose and discuss the idea with the community and gain consensus. To do that, please consider starting a new conversation on the Django Forum, where you'll reach a broader audience and receive additional feedback.
I'll close the ticket for now, but if the community agrees with the proposal, please return to this ticket and reference the forum discussion so we can re-open it. For more information, please refer to the documented guidelines for requesting features.
Thanks!