#33836 closed Bug (invalid)
Incompatible default setting for CSRF_HEADER_NAME — at Version 3
Description (last modified by ) ¶
The default setting for CSRF_HEADER_NAME is 'HTTP_X_CSRFTOKEN' which is incompatible with modern web application servers (including django development server), this is because it includes an underscore, which these servers don't allow since it can lead to 'header-spoofing'.
I found this on 4.0 but it's present in 4.1 and dev aswell.
Change History (3)
comment:1 by , 3 years ago
Owner: | changed from | to
---|
comment:2 by , 3 years ago
Resolution: | → fixed |
---|---|
Status: | assigned → closed |
comment:3 by , 3 years ago
Description: | modified (diff) |
---|
Note:
See TracTickets
for help on using tickets.