Join GitHub today
GitHub is home to over 31 million developers working together to host and review code, manage projects, and build software together.Sign up
In addition to CSRF token, verify the origin too #2501
Add an additional layer of protection against CSRF by verifying the actual origin of the request in addition to the CSRF token. We only do this check on sites hosted behind HTTPS because only HTTPS sites have evidence to show that the Referrer header is not being spuriously removed by random middleware boxes.
Note, to prevent any sort of backwards incompatibilities and since the CSRF predicate has been deprecated, I've only added this to the new view derivation form of CSRF.
I still need to write documentation and tests (working on that now), just thought I'd throw this up here incase people were interested. This is same technique can be seen in Django.