Opened 3 years ago

Last modified 3 years ago

#33836 closed Bug

Incompatible default setting for CSRF_HEADER_NAME — at Initial Version

Reported by: Matías Santurio Owned by: Matías Santurio
Component: CSRF Version: 4.0
Severity: Normal Keywords: CSRF settings
Cc: Triage Stage: Unreviewed
Has patch: no Needs documentation: no
Needs tests: no Patch needs improvement: no
Easy pickings: no UI/UX: no

Description

The default setting for CSRF_HEADER_NAME is 'HTTP_X_CSRFTOKEN' which is incompatible with modern web application servers (including django development server), this is because it includes an underscore, which these servers don't allow since it can lead to 'header-spoofing'.

Change History (0)

Note: See TracTickets for help on using tickets.
Back to Top