Opened 8 weeks ago

Last modified 2 weeks ago

#35796 closed New feature

Add setting to sign CSRF cookie — at Initial Version

Reported by: Benjamin Zagorsky Owned by:
Component: CSRF Version: dev
Severity: Normal Keywords: csrf cookie signing
Cc: Triage Stage: Unreviewed
Has patch: no Needs documentation: no
Needs tests: no Patch needs improvement: no
Easy pickings: no UI/UX: no

Description

Django should have a setting CSRF_COOKIE_SIGNED that uses the cookie signing infrastructure to sign the CSRF cookie. This would enable sites running on a subdomain of a shared domain name (ex. [SUBDOMAIN].herokuapp.com) to have protection from cookie tampering (reducing the caveat currently under https://docs.djangoproject.com/en/5.1/ref/csrf/#csrf-limitations).

This setting should initially default to False for backwards comparability, although this could be changed in a future major release.

Change History (0)

Note: See TracTickets for help on using tickets.
Back to Top