Fixed #26165 -- Added some FAQs about CSRF protection.
Thanks Florian Apolloner and Shai Berger for review.
This commit is contained in:
parent
11a8207d42
commit
a1b1688c7d
|
@ -240,12 +240,16 @@ The CSRF protection is based on the following things:
|
||||||
This check is done by ``CsrfViewMiddleware``.
|
This check is done by ``CsrfViewMiddleware``.
|
||||||
|
|
||||||
4. In addition, for HTTPS requests, strict referer checking is done by
|
4. In addition, for HTTPS requests, strict referer checking is done by
|
||||||
``CsrfViewMiddleware``. This is necessary to address a Man-In-The-Middle
|
``CsrfViewMiddleware``. This means that even if a subdomain can set or
|
||||||
attack that is possible under HTTPS when using a session independent nonce,
|
modify cookies on your domain, it can't force a user to post to your
|
||||||
due to the fact that HTTP 'Set-Cookie' headers are (unfortunately) accepted
|
application since that request won't come from your own exact domain.
|
||||||
by clients that are talking to a site under HTTPS. (Referer checking is not
|
|
||||||
done for HTTP requests because the presence of the Referer header is not
|
This also addresses a man-in-the-middle attack that's possible under HTTPS
|
||||||
reliable enough under HTTP.)
|
when using a session independent nonce, due to the fact that HTTP
|
||||||
|
``Set-Cookie`` headers are (unfortunately) accepted by clients even when
|
||||||
|
they are talking to a site under HTTPS. (Referer checking is not done for
|
||||||
|
HTTP requests because the presence of the ``Referer`` header isn't reliable
|
||||||
|
enough under HTTP.)
|
||||||
|
|
||||||
If the :setting:`CSRF_COOKIE_DOMAIN` setting is set, the referer is compared
|
If the :setting:`CSRF_COOKIE_DOMAIN` setting is set, the referer is compared
|
||||||
against it. This setting supports subdomains. For example,
|
against it. This setting supports subdomains. For example,
|
||||||
|
@ -263,7 +267,15 @@ It deliberately ignores GET requests (and other requests that are defined as
|
||||||
'safe' by :rfc:`2616`). These requests ought never to have any potentially
|
'safe' by :rfc:`2616`). These requests ought never to have any potentially
|
||||||
dangerous side effects , and so a CSRF attack with a GET request ought to be
|
dangerous side effects , and so a CSRF attack with a GET request ought to be
|
||||||
harmless. :rfc:`2616` defines POST, PUT and DELETE as 'unsafe', and all other
|
harmless. :rfc:`2616` defines POST, PUT and DELETE as 'unsafe', and all other
|
||||||
methods are assumed to be unsafe, for maximum protection.
|
methods are also assumed to be unsafe, for maximum protection.
|
||||||
|
|
||||||
|
The CSRF protection cannot protect against man-in-the-middle attacks, so use
|
||||||
|
:ref:`HTTPS <security-recommendation-ssl>` with
|
||||||
|
:ref:`http-strict-transport-security`. It also assumes :ref:`validation of
|
||||||
|
the HOST header <host-headers-virtual-hosting>` and that there aren't any
|
||||||
|
:ref:`cross-site scripting vulnerabilities <cross-site-scripting>` on your site
|
||||||
|
(because XSS vulnerabilities already let an attacker do anything a CSRF
|
||||||
|
vulnerability allows and much worse).
|
||||||
|
|
||||||
.. versionchanged:: 1.9
|
.. versionchanged:: 1.9
|
||||||
|
|
||||||
|
@ -462,3 +474,34 @@ A number of settings can be used to control Django's CSRF behavior:
|
||||||
* :setting:`CSRF_FAILURE_VIEW`
|
* :setting:`CSRF_FAILURE_VIEW`
|
||||||
* :setting:`CSRF_HEADER_NAME`
|
* :setting:`CSRF_HEADER_NAME`
|
||||||
* :setting:`CSRF_TRUSTED_ORIGINS`
|
* :setting:`CSRF_TRUSTED_ORIGINS`
|
||||||
|
|
||||||
|
Frequently Asked Questions
|
||||||
|
==========================
|
||||||
|
|
||||||
|
Is posting an arbitrary CSRF token pair (cookie and POST data) a vulnerability?
|
||||||
|
-------------------------------------------------------------------------------
|
||||||
|
|
||||||
|
No, this is by design. Without a man-in-the-middle attack, there is no way for
|
||||||
|
an attacker to send a CSRF token cookie to a victim's browser, so a successful
|
||||||
|
attack would need to obtain the victim's browser's cookie via XSS or similar,
|
||||||
|
in which case an attacker usually doesn't need CSRF attacks.
|
||||||
|
|
||||||
|
Some security audit tools flag this as a problem but as mentioned before, an
|
||||||
|
attacker cannot steal a user's browser's CSRF cookie. "Stealing" or modifying
|
||||||
|
*your own* token using Firebug, Chrome dev tools, etc. isn't a vulnerability.
|
||||||
|
|
||||||
|
Is the fact that Django's CSRF protection isn't linked to a session a problem?
|
||||||
|
------------------------------------------------------------------------------
|
||||||
|
|
||||||
|
No, this is by design. Not linking CSRF protection to a session allows using
|
||||||
|
the protection on sites such as a `pastebin` that allow submissions from
|
||||||
|
anonymous users which don't have a session.
|
||||||
|
|
||||||
|
Why not use a new token for each request?
|
||||||
|
-----------------------------------------
|
||||||
|
|
||||||
|
Generating a new token for each request is problematic from a UI perspective
|
||||||
|
because it invalidates all previous forms. Most users would be very unhappy to
|
||||||
|
find that opening a new tab on your site has invalidated the form they had
|
||||||
|
just spent time filling out in another tab or that a form they accessed via
|
||||||
|
the back button could not be filled out.
|
||||||
|
|
Loading…
Reference in New Issue