See this: https://www.owasp.org/index.php/SameSite
Cheers,
Etienne
Le 2018-01-16 à 10:36, knbk a écrit :
How does using nginx protect against CSRF attacks?
Marten
On Tuesday, January 16, 2018 at 10:49:21 AM UTC+1, Etienne Robillard
wrote:
A much more practical way to improve security against XSRF attacks
is using nginx.
Regards,
Etienne
Le 2018-01-16 à 04:38, James Bennett a écrit :
If you can demonstrate a practical attack against Django's CSRF
system, feel free to email it to secu...@djangoproject.com
<javascript:>.
On Tue, Jan 16, 2018 at 1:26 AM, Etienne Robillard
<tka...@yandex.com <javascript:>> wrote:
Hi Stephan,
I'm also interested to understand why I should have some form
of CSRF protection for my wsgi app...
perhaps recoding the Django 1.11 CSRF middleware into a
proper WSGI application (CSRFController) would help.
but seriously, i don't use/recommend the Django CSRF
middleware because it does not improve security of forms
processing.
cheers,
Etienne
Le 2018-01-15 à 17:03, Stephan Doliov a écrit :
Just curious, I recently went on a source code studying
binge and took a look at the CSRF middleware that comes with
Django. I appreciate the work and effort of the authors, but
I am not sure I gain anything by deploying it to my site.
Here is why:
The middleware token assigned to a form and to a csrftoken
cookie are ciphertexts of the same underlying key (by
default, the underlying key is chosen as 32 randomly chosen
(with replacement) chars from a set of 62 chars. So the easy
workaround can be done in one of two ways
1) Write a script that just harvests the middleware token
from a form "protected" with such token and use the value of
that as the csrftoken cookie.
As the middlewaretoken is a cipher of the underlying token,
obviously using the the same string as the value to the
csrftoken cookie will satisfy the middleware's demand for
authorization of the resource (e.g. POSTing to the form)
2) Learn the easy cipher algorithm the csrf middleware uses
and present a csrf token cookie that will decode to the
right value.
In either case, I am not convinced that meaningful
protection against CSRF types of requests are provided by
the middleware. Am I missing something?
Wouldn't it be more secure to just have middleware that
whitelists as a series of origins (aka CORS) and then,
unlike CORS, actually perform reverse lookups on the dns of
the whitelisted domains? (Of course, this assumes that the
hosts that might want to make cross-site requests ahve
access to managing their reverse DNS).
Am I missing something; or, if serving performance is a top
goal of mine, should I just ditch the csrf middleware? (and
maybe rate limit client requests to prevent DoS attacks)?
Thanks,
Steve
--
You received this message because you are subscribed to the
Google Groups "Django users" group.
To unsubscribe from this group and stop receiving emails
from it, send an email to django-users...@googlegroups.com
<javascript:>.
To post to this group, send email to
django...@googlegroups.com <javascript:>.
Visit this group at
https://groups.google.com/group/django-users
<https://groups.google.com/group/django-users>.
To view this discussion on the web visit
https://groups.google.com/d/msgid/django-users/9c4a794f-aa9e-4c00-ba20-779ad7a87d2a%40googlegroups.com
<https://groups.google.com/d/msgid/django-users/9c4a794f-aa9e-4c00-ba20-779ad7a87d2a%40googlegroups.com?utm_medium=email&utm_source=footer>.
For more options, visit https://groups.google.com/d/optout
<https://groups.google.com/d/optout>.
--
Etienne Robillard
tka...@yandex.com <javascript:>
https://www.isotopesoftware.ca/ <https://www.isotopesoftware.ca/>
--
You received this message because you are subscribed to the
Google Groups "Django users" group.
To unsubscribe from this group and stop receiving emails from
it, send an email to django-users...@googlegroups.com
<javascript:>.
To post to this group, send email to
django...@googlegroups.com <javascript:>.
Visit this group at
https://groups.google.com/group/django-users
<https://groups.google.com/group/django-users>.
To view this discussion on the web visit
https://groups.google.com/d/msgid/django-users/95bba86c-ed2e-fd8d-e7da-2ec1b80c273c%40yandex.com
<https://groups.google.com/d/msgid/django-users/95bba86c-ed2e-fd8d-e7da-2ec1b80c273c%40yandex.com?utm_medium=email&utm_source=footer>.
For more options, visit https://groups.google.com/d/optout
<https://groups.google.com/d/optout>.
--
You received this message because you are subscribed to the
Google Groups "Django users" group.
To unsubscribe from this group and stop receiving emails from it,
send an email to django-users...@googlegroups.com <javascript:>.
To post to this group, send email to django...@googlegroups.com
<javascript:>.
Visit this group at https://groups.google.com/group/django-users
<https://groups.google.com/group/django-users>.
To view this discussion on the web visit
https://groups.google.com/d/msgid/django-users/CAL13Cg9mhBTD-2CBB46cvv2N6gd0JzHA8g5o%2BgrG5ZrAmb-%3Dgg%40mail.gmail.com
<https://groups.google.com/d/msgid/django-users/CAL13Cg9mhBTD-2CBB46cvv2N6gd0JzHA8g5o%2BgrG5ZrAmb-%3Dgg%40mail.gmail.com?utm_medium=email&utm_source=footer>.
For more options, visit https://groups.google.com/d/optout
<https://groups.google.com/d/optout>.
--
Etienne Robillard
tka...@yandex.com <javascript:>
https://www.isotopesoftware.ca/ <https://www.isotopesoftware.ca/>
--
You received this message because you are subscribed to the Google
Groups "Django users" group.
To unsubscribe from this group and stop receiving emails from it, send
an email to django-users+unsubscr...@googlegroups.com
<mailto:django-users+unsubscr...@googlegroups.com>.
To post to this group, send email to django-users@googlegroups.com
<mailto:django-users@googlegroups.com>.
Visit this group at https://groups.google.com/group/django-users.
To view this discussion on the web visit
https://groups.google.com/d/msgid/django-users/27709494-b4ba-4588-85cd-3babf18b8afa%40googlegroups.com
<https://groups.google.com/d/msgid/django-users/27709494-b4ba-4588-85cd-3babf18b8afa%40googlegroups.com?utm_medium=email&utm_source=footer>.
For more options, visit https://groups.google.com/d/optout.
--
Etienne Robillard
tkad...@yandex.com
https://www.isotopesoftware.ca/
--
You received this message because you are subscribed to the Google Groups "Django
users" group.
To unsubscribe from this group and stop receiving emails from it, send an email
to django-users+unsubscr...@googlegroups.com.
To post to this group, send email to django-users@googlegroups.com.
Visit this group at https://groups.google.com/group/django-users.
To view this discussion on the web visit
https://groups.google.com/d/msgid/django-users/37daf0ec-47b3-ff07-f319-5cc792690ef3%40yandex.com.
For more options, visit https://groups.google.com/d/optout.
