I am eagerly waiting to hear your comments and opinions. Thanks,
Prithviraj M Billa github :: htttp://github.com/Prithvirajbilla blog:: http://blog.prithvirajbilla.com On Sunday, February 23, 2014 9:34:15 PM UTC+5:30, Prithviraj Billa wrote: > > Hello Guys! > > > I am planning to work on developing and improving the security features of > Django. > > I would like some help in formalizing the proposal so that it will meet > the requirements. > > Things i understood how security against csrf works and how it is > implemented in django. (please correct me if I’m wrong) > > > - > > When ever user request a csrf_token in the HTML view or using the > function csrf_protect(), the server creates a randomized token which is > different for every request. (changes for requests). and we set a cookie > csrf_token=value. > - > > When a POST request is sent (or some sensitive operation is done at > server side), we also send a hidden variable csrf_token which is validated > against the cookie.(Double submitting cookie technique.). > - > > The attacker may send the the request from the other domain on behalf > of the user logged in, but the attack will mostly fail because he cannot > read the session data (because of same origin policy) > - > > These all operations are taken care of CSRF middleware. > > > It is mentioned that you want to integrate the > django-secure<https://github.com/carljm/django-secure>project with the django > project. ssl redirect, security against > clickjacking, some xss attacks were already implemented in the above > project. Do the candidate have to improve those features or just have to > integrate those features with the present django? > > How can we enhance the security measures against the csrf attacks?(I don’t > know how to enhance security the using Double submitting cookie technique > which is already implemented in the django project). > > I think we can implement Encrypted token pattern to enhance the security > against csrf attacks.It is mentioned that it allows us greater control over > CSRF-defense, without introducing new security concerns or architectural > problems.I’m a newbie in this area .So please let me know, If this is not a > good idea. > > > > I like to hear your comments and opinions. > > Thanks, > > Prithviraj M Billa > > github: http://github.com/Prithvirajbilla > > blog: http://blog.prithvirajbilla.com > > > -- You received this message because you are subscribed to the Google Groups "Django developers" group. To unsubscribe from this group and stop receiving emails from it, send an email to django-developers+unsubscr...@googlegroups.com. To post to this group, send email to django-developers@googlegroups.com. Visit this group at http://groups.google.com/group/django-developers. To view this discussion on the web visit https://groups.google.com/d/msgid/django-developers/9ba193b8-8308-41ed-9189-576fe8480f78%40googlegroups.com. For more options, visit https://groups.google.com/groups/opt_out.
