On Sep 22, 1:25 pm, Simon Willison <[EMAIL PROTECTED]> wrote: > CSRF[1] is one of the most common web application vulnerabilities, but > continues to have very poor awareness in the developer community. > Django ships with CSRF protection in the form of middleware, but it's > off by default. I'm willing to bet most people don't turn it on. > > I don't believe middleware is the right way to approach this. It's too > "magic" - it involves code that parses and re-writes your HTML as the > response is being returned. It also means CSRF failures can't be > gracefully handled - the middleware can throw up a big ugly error > page, but ideally a CSRF failure would be treated the same way as a > regular form validation error.
I just read this thread now, and by the end of it, things are looking pretty complicated. Is it worth a gut check to make sure this is worthwhile? Although the middleware might be a hack now, it seems sensible that it fits in request/response areas rather than in forms: you still need to go out of your way to add it anyway (so users won't necessarily "turn it on"); it takes a lot more code; add in the multiple forms per page question, and to me it seems like you've fixed a problem by introducing another. Finally, it doesn't take much to make a pretty message - something like "You are under attack, close down your browser and try again" with images of flaming people & such - for the (lets be realistic) very rare cases when a CSRF attack occurs. All you need is a template, right? (And I would consider sending an email to the admin notifying them that at attack was attempted, at least to get an idea of how common these issues are.) -rob --~--~---------~--~----~------------~-------~--~----~ You received this message because you are subscribed to the Google Groups "Django developers" group. To post to this group, send email to django-developers@googlegroups.com To unsubscribe from this group, send email to [EMAIL PROTECTED] For more options, visit this group at http://groups.google.com/group/django-developers?hl=en -~----------~----~----~----~------~----~------~--~---
