Opened 5 years ago

Closed 3 years ago

#15808 closed Bug (fixed)

CSRF token cookie does not utilize the "Secure" or "HttpOnly" flag

Reported by: Samuel.Lavitt@… Owned by: nobody
Component: CSRF Version: 1.3
Severity: Normal Keywords: CSRF Secure HttpOnly
Cc: Triage Stage: Accepted
Has patch: yes Needs documentation: no
Needs tests: no Patch needs improvement: yes
Easy pickings: no UI/UX: no


I have observed that the CSRF token will not utilize the Secure or HttpOnly flags, even when the django is configured to protect session cookies using them. I would personally consider the lack of these flags a bug, as it could result in disclosure of the token value to an attacker, which would then allow them to preform CSRF attacks which would otherwise be prevented.

Because of the nature of the CSRF protection, I feel that having, at a minimum, the ability to configure the Secure flag should be included, and possibly a default setting, I understand that jquery and javascript may have need to access the token for submission of data, so HttpOnly as a default may not work in many environments.

Change History (6)

comment:1 Changed 5 years ago by lukeplant

  • Needs documentation unset
  • Needs tests unset
  • Patch needs improvement unset
  • Resolution set to duplicate
  • Status changed from new to closed

Duplicate of #14134.

I'm not going to categorize as a bug, because over HTTPS we also have strict referer checking for CSRF protection, so leaking of the token is not a critical issue.

comment:2 Changed 3 years ago by mrmachine

  • Easy pickings unset
  • Resolution duplicate deleted
  • Status changed from closed to reopened
  • UI/UX unset

The ticket that this is a duplicate of was closed as "fixed" but it did not implement (and did not discuss) a CSRF_COOKIE_HTTPONLY setting, similar to the SESSION_COOKIE_HTTPONLY setting that does already exist. The implementation would be very simple. The set_cookie() function already has a httponly argument. We just need to pass the value of the new setting to it when creating the cookie.

I'm not sure if the "not critical" comment was referring to the HttpOnly aspect of this ticket, or just the Secure aspect, since the justification mentions strict referer checking over HTTPS (only?)

Either way, clients often perform their own security analysis on sites and make recommendations, and I have one such report in front of me that says I should be setting HttpOnly for the CSRF (and session, which is possible thanks to the SESSION_COOKIE_HTTPONLY setting) cookie. I'd rather respond to them with "done" instead of "not done, but its not critical because we have strict referer checking for CSRF protection".

I can patch my local copy of Django, but is there actually a reason to *not* implement this? I can contribute a patch if this is accepted.

comment:3 Changed 3 years ago by mlavin

There is an open pull request for this issue:

comment:4 Changed 3 years ago by russellm

  • Triage Stage changed from Unreviewed to Accepted

I concur with Luke that it's not strictly necessary, but I don't see any reason why we shouldn't make the option available; we have precedent in SESSION_COOKIE_HTTPONLY, so I don't see why we shouldn't offer CSRF_COOKIE_HTTPONLY as well. It's not like it's going to *reduce* security. Call it a feature, not a bug :-)

comment:5 Changed 3 years ago by aaugustin

  • Has patch set
  • Patch needs improvement set

The PR has tests and docs but it no longer applies cleanly.

It shouldn't be hard to update, though.

comment:6 Changed 3 years ago by Aymeric Augustin <aymeric.augustin@…>

  • Resolution set to fixed
  • Status changed from reopened to closed

In 720888a14699a80a6cd07d32514b9dcd5b1005fb:

Fixed #15808 -- Added optional HttpOnly flag to the CSRF Cookie.

Thanks Samuel Lavitt for the report and Sascha Peilicke for the patch.

Note: See TracTickets for help on using tickets.
Back to Top