New issue
Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.
By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.
Already on GitHub? Sign in to your account
Add CSRF protection #27
Comments
I think it's pretty clear, what I think is that all routes must have csrf, now if a route does not need that protection, you should use some method or function, csrf_except or something similar. |
Should we do it in the routes.py file? Post().route('url', 'controller').name('url').no_csrf() or something like that? This MAY create some complications when checking if its valid. but may not. We'd have to test |
Yes, exactly. |
|
ok good |
I say a good route here is that unless I'm thinking wrong, Get() should not have a CSRF is not needed for GET requests correct? |
also remember that the |
It's true for GET requests not is necessary the csrf protection, is more, for GET request It doesn't add protection, but the opposite, makes a possible attack in the site. |
So this will require a few moving parts here.
So how CSRF works is that there is a random key generated (like
8yr8738b8b87b8br48gf84b7bv
) at the start of each request. This changes on every request so it needs to be random.This token can be used inside forms so there needs to be a
{{ csrf_field() }}
function which just points to therequest.get_csrf()
method or something. Check theHelpersProvider
for how helper functions work. Especially in templates (it uses theView.share
) method.Then when the request is submitted via POST, the CSRF token outputted by the
csrf_field()
function is checked against the one that was at the start of the request. If it's the same then the request was made by the current. If it wasn't then there is something wrong and it should throw an exception likeInvalidCSRFToken
Now there is something to be aware of and that is that not all routes should have to be CSRF protected. It should be up to the developer to choose the ones that are not protected (all routes should be protected by default).
What I'm thinking of is that only new CSRF tokens should be generated if it is a GET request. This allows you to have a POST request and check if the CSRF token is valid
Please let me know if you have any questions
The text was updated successfully, but these errors were encountered: