https://security.stackexchange.com/questions/262245/are-csrf-attacks-a-thing-of-the-past
Looks like lax will do the trick, but it's not like there aren't legit
cases for same-site policy to be set to something less restrictive.
LP,
Jure
On 17. 04. 23 09:24, Jacob Rief wrote:
On Monday, April 17, 2023 at 8:45:16 AM UTC+2 Curtis Maloney wrote:
Are you implying that all CSRF attacks protected by Django's
current machinery are entirely mitigated by SameSite=Lax on the
_session_ cookiue?
Yes. Therefore imho, the CSRF protection is just some nasty legacy,
developers have to fiddle with. It doesn't add any security benefit
anymore.
That said, maybe there is still a possible attack vector on cross site
request forgeries, but I was unable to exploit them with disabled CSRF
protection.
Therefore it would be great, if someone with more hacking experience
than myself, could try this.
– Jacob
--
You received this message because you are subscribed to the Google
Groups "Django developers (Contributions to Django itself)" group.
To unsubscribe from this group and stop receiving emails from it, send
an email to django-developers+unsubscr...@googlegroups.com.
To view this discussion on the web visit
https://groups.google.com/d/msgid/django-developers/18aaa4cf-4612-4373-bd91-90cfb3fd07b8n%40googlegroups.com
<https://groups.google.com/d/msgid/django-developers/18aaa4cf-4612-4373-bd91-90cfb3fd07b8n%40googlegroups.com?utm_medium=email&utm_source=footer>.
--
You received this message because you are subscribed to the Google Groups "Django
developers (Contributions to Django itself)" group.
To unsubscribe from this group and stop receiving emails from it, send an email
to django-developers+unsubscr...@googlegroups.com.
To view this discussion on the web visit
https://groups.google.com/d/msgid/django-developers/86ced442-e7f9-aab8-9a03-d9c2362b60f9%40gmail.com.