Opened 9 months ago

Last modified 7 months ago

#35328 assigned Cleanup/optimization

Improve CSRF Origin checking messaging

Reported by: Ryan Hiebert Owned by: Ryan Hiebert
Component: CSRF Version: dev
Severity: Normal Keywords:
Cc: Carlton Gibson, tim-schilling Triage Stage: Accepted
Has patch: yes Needs documentation: no
Needs tests: no Patch needs improvement: yes
Easy pickings: no UI/UX: no

Description

A very common misconfiguration is for the
SECURE_PROXY_SSL_HEADER setting to not be configured correctly. This causes the origin checks to fail, but the messaging leads folks like me to the CSRF_TRUSTED_ORIGINS setting, which is not really what you want in this scenario. In some cases, like GitHub Codespaces, you may also need the USE_X_FORWARDED_HOST setting as well.

I believe we can make some common scenarios easier to fix by improving our error messaging. Particularly in DEBUG mode, we can show useful information about their headers and give a suggestion about what fix might be appropriate.

https://forum.djangoproject.com/t/forwarded-headers-csrf-hints/28616

Change History (9)

comment:1 by Natalia Bidart, 9 months ago

Cc: Carlton Gibson tim-schilling added
Triage Stage: UnreviewedAccepted
Type: New featureCleanup/optimization

Accepting following the linked Forum discussion.

comment:2 by Mariusz Felisiak, 9 months ago

Patch needs improvement: set

comment:3 by Ryan Hiebert, 9 months ago

Patch needs improvement: unset

comment:4 by Ryan Hiebert, 9 months ago

Owner: changed from nobody to Ryan Hiebert

comment:5 by Sarah Boyce, 8 months ago

Patch needs improvement: set

comment:6 by Ryan Hiebert, 7 months ago

Patch needs improvement: unset

comment:7 by Sarah Boyce, 7 months ago

Patch needs improvement: set

comment:8 by Ryan Hiebert, 7 months ago

Patch needs improvement: unset

comment:9 by Sarah Boyce, 7 months ago

Patch needs improvement: set
Note: See TracTickets for help on using tickets.
Back to Top