Opened 38 hours ago

Closed 37 hours ago

#35796 closed New feature (wontfix)

Add setting to sign CSRF cookie

Reported by: Benjamin Zagorsky Owned by:
Component: CSRF Version: dev
Severity: Normal Keywords: csrf cookie signing
Cc: Triage Stage: Unreviewed
Has patch: no Needs documentation: no
Needs tests: no Patch needs improvement: no
Easy pickings: no UI/UX: no

Description

Django should have a setting CSRF_COOKIE_SIGNED that uses the cookie signing infrastructure to sign the CSRF cookie. This would enable sites running on a subdomain of a shared domain name (ex. [SUBDOMAIN].herokuapp.com) to have protection from cookie tampering (reducing the caveat currently under https://docs.djangoproject.com/en/5.1/ref/csrf/#csrf-limitations).

This setting should initially default to False for backwards comparability, although this could be changed in a future major release.

Change History (1)

comment:1 by Natalia Bidart, 37 hours ago

Component: Core (Other)CSRF
Easy pickings: unset
Keywords: signing added
Resolution: wontfix
Status: newclosed

Hello Benjamin!

Adding a new setting to Django is quite controversial, and something that we try to avoid. Because of that, this requires an explicit agreement with the community. Besides the new setting proposal, I do understand that this report comes along with a new feature request, which would be adding "automatic" CSRF cookie signing to Django. For cases like this, the recommended path forward is to first propose and discuss the idea with the community and gain consensus. To do that, please consider starting a new conversation on the Django Forum, where you'll reach a broader audience and receive additional feedback.

I'll close the ticket for now, but if the community agrees with the proposal, please return to this ticket and reference the forum discussion so we can re-open it. For more information, please refer to the documented guidelines for requesting features.

Thanks!

Note: See TracTickets for help on using tickets.
Back to Top