Changes between Initial Version and Version 2 of Ticket #35796
- Timestamp:
- Nov 7, 2024, 3:57:50 PM (2 weeks ago)
Legend:
- Unmodified
- Added
- Removed
- Modified
-
Ticket #35796
- Property Component Core (Other) → CSRF
- Property Easy pickings unset
- Property Keywords signing added
- Property Resolution → wontfix
- Property Status new → closed
- Property Summary Add setting to sign CSRF cookie → Add signing support to the CSRF cookie
-
Ticket #35796 – Description
initial v2 1 Django should have a setting `CSRF_COOKIE_SIGNED` that uses the cookie signing infrastructure to sign the CSRF cookie. This would enable sites running on a subdomain of a shared domain name (ex. [SUBDOMAIN].herokuapp.com) to have protection from cookie tampering (reducing the caveat currently under https://docs.djangoproject.com/en/5.1/ref/csrf/#csrf-limitations).1 Django's CSRF middleware should support signing and checking signatures on CSRF cookies. This would enable sites running on a subdomain of a shared domain name (ex. [SUBDOMAIN].herokuapp.com) to have protection from cookie tampering (reducing the caveat currently under https://docs.djangoproject.com/en/5.1/ref/csrf/#csrf-limitations). 2 2 3 This setting should initially default to `False` for backwards comparability, although this could be changed in a future major release. 3 In order to do this in a backwards compatible way, Django should have a setting `CSRF_COOKIE_SIGNING ` that takes three settings: 4 5 1. `"disabled"` (default): CSRF token is not signed, but CSRF middleware accepts both signed and unsigned cookies. 6 2. `"lenient"`: CSRF token is signed, and CSRF middleware accepts both signed and unsigned cookies. 7 3. `"strict"`: CSRF token is signed, and CSRF middleware only accepts signed cookies. 8 9 This would enable people to upgrade their systems over two releases with no disruption to users, stepping from `"disabled"` to `"lenient"` in one release and `"lenient"` to `"strict"` in the second release. 10 11 Django forum thread: https://forum.djangoproject.com/t/signing-the-csrf-cookie/35156/3