Added CSRF with HTTPS/HSTS and forwarding note

This commit is contained in:
David Fischer 2012-09-06 16:08:14 -04:00
parent ba141e6906
commit c65100248d
No known key found for this signature in database
GPG Key ID: F0C9B0ADA737AB60
1 changed files with 13 additions and 1 deletions

View File

@ -76,9 +76,17 @@ POST to your Web site and have another logged in user unwittingly submit that
form. The malicious user would have to know the nonce, which is user specific form. The malicious user would have to know the nonce, which is user specific
(using a cookie). (using a cookie).
When deployed with :ref:`HTTPS <security-recommendation-ssl>`,
``CsrfViewMiddleware`` will check that the HTTP referer header is set to a
URL on the same origin (including subdomain and port). Because HTTPS
provides additional security, it is imperative to ensure connections use HTTPS
where it is available by forwarding insecure connection requests and using
HSTS for supported browsers.
Be very careful with marking views with the ``csrf_exempt`` decorator unless Be very careful with marking views with the ``csrf_exempt`` decorator unless
it is absolutely necessary. it is absolutely necessary.
SQL injection protection SQL injection protection
======================== ========================
@ -112,6 +120,8 @@ The middleware is strongly recommended for any site that does not need to have
its pages wrapped in a frame by third party sites, or only needs to allow that its pages wrapped in a frame by third party sites, or only needs to allow that
for a small section of the site. for a small section of the site.
.. _security-recommendation-ssl:
SSL/HTTPS SSL/HTTPS
========= =========
@ -155,7 +165,7 @@ server, there are some additional steps you may need:
the added security of SSL provided one successful connection has occurred. the added security of SSL provided one successful connection has occurred.
HSTS is usually configured on the web server. HSTS is usually configured on the web server.
.. _additional-security-topics: .. _host-headers-virtual-hosting:
Host headers and virtual hosting Host headers and virtual hosting
================================ ================================
@ -175,6 +185,8 @@ recommend you ensure your Web server is configured such that:
Additionally, as of 1.3.1, Django requires you to explicitly enable support for Additionally, as of 1.3.1, Django requires you to explicitly enable support for
the ``X-Forwarded-Host`` header if your configuration requires it. the ``X-Forwarded-Host`` header if your configuration requires it.
.. _additional-security-topics:
Additional security topics Additional security topics
========================== ==========================