Opened 8 weeks ago

Closed 8 weeks ago

Last modified 2 weeks ago

#35796 closed New feature (wontfix)

Add signing support to the CSRF cookie

Reported by: Benjamin Zagorsky Owned by:
Component: CSRF Version: dev
Severity: Normal Keywords: csrf cookie signing
Cc: Triage Stage: Unreviewed
Has patch: no Needs documentation: no
Needs tests: no Patch needs improvement: no
Easy pickings: no UI/UX: no

Description (last modified by Benjamin Zagorsky)

Django's CSRF middleware should support signing and checking signatures on CSRF cookies. This would enable sites running on a subdomain of a shared domain name (ex. [SUBDOMAIN].herokuapp.com) to have protection from cookie tampering (reducing the caveat currently under https://docs.djangoproject.com/en/5.1/ref/csrf/#csrf-limitations).

In order to do this in a backwards compatible way, Django should have a setting CSRF_COOKIE_SIGNING that takes three settings:

  1. "disabled" (default): CSRF token is not signed, but CSRF middleware accepts both signed and unsigned cookies.
  2. "lenient": CSRF token is signed, and CSRF middleware accepts both signed and unsigned cookies.
  3. "strict": CSRF token is signed, and CSRF middleware only accepts signed cookies.

This would enable people to upgrade their systems over two releases with no disruption to users, stepping from "disabled" to "lenient" in one release and "lenient" to "strict" in the second release.

Django forum thread: https://forum.djangoproject.com/t/signing-the-csrf-cookie/35156/3

Change History (3)

comment:1 by Natalia Bidart, 8 weeks ago

Component: Core (Other)CSRF
Easy pickings: unset
Keywords: signing added
Resolution: wontfix
Status: newclosed

Hello Benjamin!

Adding a new setting to Django is quite controversial, and something that we try to avoid. Because of that, this requires an explicit agreement with the community. Besides the new setting proposal, I do understand that this report comes along with a new feature request, which would be adding "automatic" CSRF cookie signing to Django. For cases like this, the recommended path forward is to first propose and discuss the idea with the community and gain consensus. To do that, please consider starting a new conversation on the Django Forum, where you'll reach a broader audience and receive additional feedback.

I'll close the ticket for now, but if the community agrees with the proposal, please return to this ticket and reference the forum discussion so we can re-open it. For more information, please refer to the documented guidelines for requesting features.

Thanks!

comment:2 by Benjamin Zagorsky, 2 weeks ago

Description: modified (diff)
Summary: Add setting to sign CSRF cookieAdd signing support to the CSRF cookie

in reply to:  1 comment:3 by Benjamin Zagorsky, 2 weeks ago

I've vetted the plan more thoroughly on the Django Forum and have updated the ticket.

Replying to Natalia Bidart:

Hello Benjamin!

Adding a new setting to Django is quite controversial, and something that we try to avoid. Because of that, this requires an explicit agreement with the community. Besides the new setting proposal, I do understand that this report comes along with a new feature request, which would be adding "automatic" CSRF cookie signing to Django. For cases like this, the recommended path forward is to first propose and discuss the idea with the community and gain consensus. To do that, please consider starting a new conversation on the Django Forum, where you'll reach a broader audience and receive additional feedback.

I'll close the ticket for now, but if the community agrees with the proposal, please return to this ticket and reference the forum discussion so we can re-open it. For more information, please refer to the documented guidelines for requesting features.

Thanks!

Note: See TracTickets for help on using tickets.
Back to Top