#12738: CSRF token name should be a configurable setting ------------------------------------+--------------------------------------- Reporter: Kronuz | Owner: nobody Status: new | Milestone: 1.2 Component: Uncategorized | Version: Resolution: | Keywords: Stage: Unreviewed | Has_patch: 0 Needs_docs: 0 | Needs_tests: 0 Needs_better_patch: 0 | ------------------------------------+--------------------------------------- Changes (by lukeplant):
* needs_better_patch: => 0 * needs_tests: => 0 * needs_docs: => 0 Comment: I don't understand why that would improve security. The security lies in the value of the token, not the name. Most CSRF attacks are going to be per-site, and a setting would be per-site. Also, if an attacker was using a more generic attack against all Django-powered sites, it would be easy to find out what the name of the token is for a specific site - one request to a page that contains a POST form, and you are done, since a simple regex will in most cases find which field 'looks like' a Django CSRF token. Do you have an actual use case where you need this? -- Ticket URL: <http://code.djangoproject.com/ticket/12738#comment:1> Django <http://code.djangoproject.com/> The Web framework for perfectionists with deadlines. -- You received this message because you are subscribed to the Google Groups "Django updates" group. To post to this group, send email to django-upda...@googlegroups.com. To unsubscribe from this group, send email to django-updates+unsubscr...@googlegroups.com. For more options, visit this group at http://groups.google.com/group/django-updates?hl=en.