Opened 8 weeks ago
Last modified 2 weeks ago
#35796 closed New feature
Add setting to sign CSRF cookie — at Initial Version
Reported by: | Benjamin Zagorsky | Owned by: | |
---|---|---|---|
Component: | CSRF | Version: | dev |
Severity: | Normal | Keywords: | csrf cookie signing |
Cc: | Triage Stage: | Unreviewed | |
Has patch: | no | Needs documentation: | no |
Needs tests: | no | Patch needs improvement: | no |
Easy pickings: | no | UI/UX: | no |
Description
Django should have a setting CSRF_COOKIE_SIGNED
that uses the cookie signing infrastructure to sign the CSRF cookie. This would enable sites running on a subdomain of a shared domain name (ex. [SUBDOMAIN].herokuapp.com) to have protection from cookie tampering (reducing the caveat currently under https://docs.djangoproject.com/en/5.1/ref/csrf/#csrf-limitations).
This setting should initially default to False
for backwards comparability, although this could be changed in a future major release.