Code

Opened 4 years ago

Closed 4 years ago

Last modified 2 years ago

#12738 closed Uncategorized (wontfix)

CSRF token name should be a configurable setting

Reported by: Kronuz Owned by: nobody
Component: Uncategorized Version:
Severity: Normal Keywords:
Cc: Kronuz Triage Stage: Unreviewed
Has patch: no Needs documentation: no
Needs tests: no Patch needs improvement: no
Easy pickings: no UI/UX: no

Description

The CSRF token name ('csrfmiddlewaretoken') should perhaps be configurable, for security reasons if not anything else...

Attachments (1)

#12738-csrf_token_url_name_configurable.diff (2.1 KB) - added by Kronuz 15 months ago.

Download all attachments as: .zip

Change History (5)

comment:1 Changed 4 years ago by lukeplant

  • Needs documentation unset
  • Needs tests unset
  • Patch needs improvement unset

I don't understand why that would improve security. The security lies in the value of the token, not the name. Most CSRF attacks are going to be per-site, and a setting would be per-site. Also, if an attacker was using a more generic attack against all Django-powered sites, it would be easy to find out what the name of the token is for a specific site - one request to a page that contains a POST form, and you are done, since a simple regex will in most cases find which field 'looks like' a Django CSRF token.

Do you have an actual use case where you need this?

comment:2 Changed 4 years ago by lukeplant

  • Resolution set to wontfix
  • Status changed from new to closed

No response, so I presume there is no use case, so closing.

comment:3 Changed 3 years ago by jacob

  • milestone 1.2 deleted

Milestone 1.2 deleted

comment:4 Changed 2 years ago by Kronuz

  • Cc Kronuz added
  • Easy pickings unset
  • Severity set to Normal
  • Type set to Uncategorized
  • UI/UX unset

Add Comment

Modify Ticket

Change Properties
<Author field>
Action
as closed
as The resolution will be set. Next status will be 'closed'
The resolution will be deleted. Next status will be 'new'
Author


E-mail address and user name can be saved in the Preferences.

 
Note: See TracTickets for help on using tickets.