Skip to content

HTTPS clone URL

Subversion checkout URL

You can clone with
or
.
Download ZIP
Browse files

Switched to session-based CSRF method. Fixes issue #56.

  • Loading branch information...
commit fc13425b639bf3729d78f31a4cd902f6cd211dc7 1 parent 2eda5d3
@fwenzel fwenzel authored
Showing with 48 additions and 0 deletions.
  1. +42 −0 bestpractices.rst
  2. +3 −0  features.rst
  3. +3 −0  libs.rst
View
42 bestpractices.rst
@@ -127,3 +127,45 @@ In JavaScript, never create **code from strings**, including calls to:
* ``setTimeout()`` called with a non-callable argument
* ``setInterval()`` called with a non-callable argument
+
+CSRF-protect your forms
+-----------------------
+
+Django comes with a built-in, cookie-based `CSRF protection
+<https://docs.djangoproject.com/en/dev/ref/contrib/csrf/>`_ facility. Sadly,
+the integrity of cookies can be compromised under certain circumstances
+(through Flash, or across subdomains on the same domain), so we replaced the
+CSRF method with a session-based method (as is common across web frameworks).
+
+To CSRF-protect a form for logged-in users, just add this to your template,
+inside the ``<form>`` tag::
+
+ {{ csrf() }}
+
+To make this work for anonymous users, with a light-weight session stored in
+Django's cache, decorate a view with ``@anonymous_csrf``:
+
+.. code-block:: python
+
+ from session_csrf import anonymous_csrf
+
+ @anonymous_csrf
+ def login(request):
+ ...
+
+If a form is supposed to be CSRF-protected for logged-in users, but not for
+anonymous users, use the ``@anonymous_csrf_exempt`` decorator:
+
+.. code-block:: python
+
+ from session_csrf import anonymous_csrf_exempt
+
+ @anonymous_csrf_exempt
+ def protected_in_another_way(request):
+ ...
+
+Finally, to disable CSRF protection on a form altogether (if you know what
+you're doing!), Django's ``csrf_exempt`` decorator still works as expected.
+
+To learn more about this method, refer to the
+`django-session-csrf README <https://github.com/mozilla/django-session-csrf#readme>`_.
View
3  features.rst
@@ -49,6 +49,9 @@ Security
a `nugget <https://github.com/mozilla/nuggets/>`_.
* `bleach <https://github.com/jsocol/bleach/>`_ library bundled for
secure-by-default, but heavily customizable HTML sanitization of user input.
+* Used `django-session-csrf <https://github.com/mozilla/django-session-csrf>`_
+ to replace Django's built-in, cookie-based CSRF method with a common,
+ session-based method. This mitigates the risk of cookie forging attacks.
.. _commonware: https://github.com/jsocol/commonware
View
3  libs.rst
@@ -81,6 +81,9 @@ Security and Data Sanitization
Monkey-patches strong password hashing support into Django.
* `happyforms <https://github.com/jbalogh/happyforms>`_:
Extension to Django Forms that strips spaces.
+* `django-session-csrf <https://github.com/mozilla/django-session-csrf>`_\*:
+ Replaces Django's cookie-based CSRF method with a session-based one, in
+ order to mitigate certain cookie-forging attacks.
Templates and Caching
---------------------
Please sign in to comment.
Something went wrong with that request. Please try again.