Opened 2 years ago

Closed 2 years ago

Last modified 2 years ago

#33836 closed Bug (invalid)

Incompatible default setting for CSRF_HEADER_NAME

Reported by: Matías Santurio Owned by: Matías Santurio
Component: CSRF Version: 4.0
Severity: Normal Keywords: CSRF settings
Cc: Triage Stage: Unreviewed
Has patch: no Needs documentation: no
Needs tests: no Patch needs improvement: no
Easy pickings: no UI/UX: no

Description (last modified by Matías Santurio)

The default setting for CSRF_HEADER_NAME is 'HTTP_X_CSRFTOKEN' which is incompatible with modern web application servers (including django development server), this is because it includes an underscore, which these servers don't allow since it can lead to 'header-spoofing'.

I found this on 4.0 but it's present in 4.1 and dev as well.

Change History (5)

comment:1 by Matías Santurio, 2 years ago

Owner: changed from Matías Santurio to Matías Santurio

comment:2 by Matías Santurio, 2 years ago

Resolution: fixed
Status: assignedclosed

comment:3 by Matías Santurio, 2 years ago

Description: modified (diff)

comment:4 by Matías Santurio, 2 years ago

Description: modified (diff)

comment:5 by Matías Santurio, 2 years ago

Resolution: fixedinvalid
Note: See TracTickets for help on using tickets.
Back to Top