id	summary	reporter	owner	description	type	status	component	version	severity	resolution	keywords	cc	stage	has_patch	needs_docs	needs_tests	needs_better_patch	easy	ui_ux
35796	Add signing support to the CSRF cookie	Benjamin  Zagorsky		"Django's CSRF middleware should support signing and checking signatures on CSRF cookies.  This would enable sites running on a subdomain of a shared domain name (ex. [SUBDOMAIN].herokuapp.com) to have protection from cookie tampering (reducing the caveat currently under https://docs.djangoproject.com/en/5.1/ref/csrf/#csrf-limitations).

In order to do this in a backwards compatible way, Django should have a setting `CSRF_COOKIE_SIGNING ` that takes three settings:

1. `""disabled""` (default): CSRF token is not signed, but CSRF middleware accepts both signed and unsigned cookies.
2. `""lenient""`: CSRF token is signed, and CSRF middleware accepts both signed and unsigned cookies.
3.  `""strict""`: CSRF token is signed, and CSRF middleware only accepts signed cookies.

This would enable people to upgrade their systems over two releases with no disruption to users, stepping from `""disabled""` to `""lenient""` in one release and `""lenient""` to `""strict""` in the second release.

Django forum thread: https://forum.djangoproject.com/t/signing-the-csrf-cookie/35156/3
"	New feature	closed	CSRF	dev	Normal	wontfix	csrf cookie signing		Unreviewed	0	0	0	0	0	0