subject:"CSRF token still needed today\?"

Re: CSRF token still needed today?

2020-04-21 Thread David Merrick

Hi if you have an url with stuff?Stuff=Stuff the URL can be changed.
See the link below.
https://portswigger.net/web-security/csrf

On Wed, Apr 22, 2020 at 6:16 AM guettli 
wrote:

> Hi David, could you please explain how cross site forgery requests can
> happen
> with the current default for cookies (SameSite=Lax)?
>
> Am Montag, 20. April 2020 14:43:10 UTC+2 schrieb David Merrick:
>>
>> if you want cross site forgery requests get rid off it
>>
>> On Mon, Apr 20, 2020 at 10:45 PM Andréas Kühne 
>> wrote:
>>
>>> Why is it a problem to have? You add one specific command on all forms -
>>> or you disable it in the view
>>>
>>> What do you want to accomplish by removing it?
>>>
>>> Regards,
>>>
>>> Andréas
>>>
>>>
>>> Den sön 19 apr. 2020 kl 22:12 skrev guettli <
>>> guettl...@thomas-guettler.de>:
>>>
>>>> iI look at this page: https://docs.djangoproject.com/en/3.0/ref/csrf/
>>>> ... and then I look at this page:
>>>> https://scotthelme.co.uk/csrf-is-dead/
>>>>
>>>> Is a CSRF token still needed today?
>>>>
>>>> All my users use a modern browser.
>>>>
>>>> It would be very nice if I could get rid of the CSRF token.
>>>>
>>>> Is there a safe way to avoid CSRF tokens in  my Django project?
>>>>
>>>> Regards,
>>>>   Thomas
>>>>
>>>> --
>>>> You received this message because you are subscribed to the Google
>>>> Groups "Django users" group.
>>>> To unsubscribe from this group and stop receiving emails from it, send
>>>> an email to django...@googlegroups.com.
>>>> To view this discussion on the web visit
>>>> https://groups.google.com/d/msgid/django-users/487c7392-e874-4a1e-a1ff-488ab933ae42%40googlegroups.com
>>>> <https://groups.google.com/d/msgid/django-users/487c7392-e874-4a1e-a1ff-488ab933ae42%40googlegroups.com?utm_medium=email&utm_source=footer>
>>>> .
>>>>
>>> --
>>> You received this message because you are subscribed to the Google
>>> Groups "Django users" group.
>>> To unsubscribe from this group and stop receiving emails from it, send
>>> an email to django...@googlegroups.com.
>>> To view this discussion on the web visit
>>> https://groups.google.com/d/msgid/django-users/CAK4qSCeO0bkxsGYFc7t-V7%2BZnr965gYAG0oALB0ELtoJjojedg%40mail.gmail.com
>>> <https://groups.google.com/d/msgid/django-users/CAK4qSCeO0bkxsGYFc7t-V7%2BZnr965gYAG0oALB0ELtoJjojedg%40mail.gmail.com?utm_medium=email&utm_source=footer>
>>> .
>>>
>>
>>
>> --
>> Dave Merrick
>>
>> TutorInvercargill
>>
>> http://tutorinvercargill.co.nz
>>
>> Daves Web Designs
>>
>> Website http://www.daveswebdesigns.co.nz
>>
>> Email merri...@gmail.com
>>
>> Ph   03 216 2053
>>
>> Cell 027 3089 169
>>
> --
> You received this message because you are subscribed to the Google Groups
> "Django users" group.
> To unsubscribe from this group and stop receiving emails from it, send an
> email to django-users+unsubscr...@googlegroups.com.
> To view this discussion on the web visit
> https://groups.google.com/d/msgid/django-users/c33f7b81-2e74-480c-b1fe-acd5f28468ac%40googlegroups.com
> <https://groups.google.com/d/msgid/django-users/c33f7b81-2e74-480c-b1fe-acd5f28468ac%40googlegroups.com?utm_medium=email&utm_source=footer>
> .
>


-- 
Dave Merrick

TutorInvercargill

http://tutorinvercargill.co.nz

Daves Web Designs

Website http://www.daveswebdesigns.co.nz

Email merrick...@gmail.com

Ph   03 216 2053

Cell 027 3089 169

-- 
You received this message because you are subscribed to the Google Groups 
"Django users" group.
To unsubscribe from this group and stop receiving emails from it, send an email 
to django-users+unsubscr...@googlegroups.com.
To view this discussion on the web visit 
https://groups.google.com/d/msgid/django-users/CA%2B%3DMcKa4bcep3kd1TUf54RdXepgQvNuXAkYGsUHOCi%3DBAPC0Gw%40mail.gmail.com.

Re: CSRF token still needed today?

2020-04-21 Thread Kenny Loveall

The original blog post you posted seems to answer this question. Further it
states "It's going to be a long time until we can consider removing
traditional anti-CSRF mechanisms but adding SameSite on top of those gives
us an incredibly robust defence." Like most things in security, I think
this is an "in addition to" instead of "in place of." At least until all
browsers support it (and that can be guaranteed by some mechanism).

For me personally the cost of keeping/adding them in is really low since
Django handles the recordkeeping and validation. However, if you have a
specific use case where a) you can guarantee everyone is using a
compatible browser and b) CSRF tokens are difficult to implement for some
reason, I think it's relatively reasonable to drop requiring them. This is
also assuming that your site doesn't do anything that makes it a high value
target for attackers (such as financial transactions, etc.). If any of
these are not true, I would personally leave the protections in place.

On Tue, Apr 21, 2020 at 1:19 PM guettli 
wrote:

>
>
> Am Sonntag, 19. April 2020 23:11:59 UTC+2 schrieb Alex Heyden:
>>
>> Django supports samesite on session cookies now, and it's on (set to lax)
>> by default. Whether or not that completely covers your surface risk to CSRF
>> attacks is a somewhat different question.
>>
>>
> AFAIK they can not happen. But I am not an expert in this area.
> Does somebody know if CSRF attacks can happen with SameSite=Lax cookies?
>
>>
>>> --
> You received this message because you are subscribed to the Google Groups
> "Django users" group.
> To unsubscribe from this group and stop receiving emails from it, send an
> email to django-users+unsubscr...@googlegroups.com.
> To view this discussion on the web visit
> https://groups.google.com/d/msgid/django-users/84e032ab-f78b-41f8-879f-38e623269910%40googlegroups.com
> 
> .
>

-- 
You received this message because you are subscribed to the Google Groups 
"Django users" group.
To unsubscribe from this group and stop receiving emails from it, send an email 
to django-users+unsubscr...@googlegroups.com.
To view this discussion on the web visit 
https://groups.google.com/d/msgid/django-users/CAGABHYCkQ4xjO53%2BTnaNJPTfhK7AwXwviinpd7-CwgQQh5Egug%40mail.gmail.com.

Re: CSRF token still needed today?

2020-04-21 Thread guettli



Am Sonntag, 19. April 2020 23:11:59 UTC+2 schrieb Alex Heyden:
>
> Django supports samesite on session cookies now, and it's on (set to lax) 
> by default. Whether or not that completely covers your surface risk to CSRF 
> attacks is a somewhat different question.
>
>
AFAIK they can not happen. But I am not an expert in this area.
Does somebody know if CSRF attacks can happen with SameSite=Lax cookies?

>
>>

-- 
You received this message because you are subscribed to the Google Groups 
"Django users" group.
To unsubscribe from this group and stop receiving emails from it, send an email 
to django-users+unsubscr...@googlegroups.com.
To view this discussion on the web visit 
https://groups.google.com/d/msgid/django-users/84e032ab-f78b-41f8-879f-38e623269910%40googlegroups.com.

Re: CSRF token still needed today?

2020-04-21 Thread guettli

Hi Andreas. I try to avoid doing things which are not needed. Some call
doing things which are not needed "useless", some even call it "stupid", 
but that's rude.

Am Montag, 20. April 2020 12:46:14 UTC+2 schrieb Andréas Kühne:
>
> Why is it a problem to have? You add one specific command on all forms - 
> or you disable it in the view 
>
> What do you want to accomplish by removing it?
>
> Regards,
>
> Andréas
>
>
> Den sön 19 apr. 2020 kl 22:12 skrev guettli  >:
>
>> iI look at this page: https://docs.djangoproject.com/en/3.0/ref/csrf/
>> ... and then I look at this page: https://scotthelme.co.uk/csrf-is-dead/
>>
>> Is a CSRF token still needed today?
>>
>> All my users use a modern browser.
>>
>> It would be very nice if I could get rid of the CSRF token.
>>
>> Is there a safe way to avoid CSRF tokens in  my Django project?
>>
>> Regards,
>>   Thomas
>>
>> -- 
>> You received this message because you are subscribed to the Google Groups 
>> "Django users" group.
>> To unsubscribe from this group and stop receiving emails from it, send an 
>> email to django...@googlegroups.com .
>> To view this discussion on the web visit 
>> https://groups.google.com/d/msgid/django-users/487c7392-e874-4a1e-a1ff-488ab933ae42%40googlegroups.com
>>  
>> <https://groups.google.com/d/msgid/django-users/487c7392-e874-4a1e-a1ff-488ab933ae42%40googlegroups.com?utm_medium=email&utm_source=footer>
>> .
>>
>

-- 
You received this message because you are subscribed to the Google Groups 
"Django users" group.
To unsubscribe from this group and stop receiving emails from it, send an email 
to django-users+unsubscr...@googlegroups.com.
To view this discussion on the web visit 
https://groups.google.com/d/msgid/django-users/6e53f168-9b32-4c73-85ab-13362d03e0e4%40googlegroups.com.

Re: CSRF token still needed today?

2020-04-21 Thread guettli

Hi David, could you please explain how cross site forgery requests can 
happen
with the current default for cookies (SameSite=Lax)? 

Am Montag, 20. April 2020 14:43:10 UTC+2 schrieb David Merrick:
>
> if you want cross site forgery requests get rid off it
>
> On Mon, Apr 20, 2020 at 10:45 PM Andréas Kühne  > wrote:
>
>> Why is it a problem to have? You add one specific command on all forms - 
>> or you disable it in the view 
>>
>> What do you want to accomplish by removing it?
>>
>> Regards,
>>
>> Andréas
>>
>>
>> Den sön 19 apr. 2020 kl 22:12 skrev guettli > >:
>>
>>> iI look at this page: https://docs.djangoproject.com/en/3.0/ref/csrf/
>>> ... and then I look at this page: https://scotthelme.co.uk/csrf-is-dead/
>>>
>>> Is a CSRF token still needed today?
>>>
>>> All my users use a modern browser.
>>>
>>> It would be very nice if I could get rid of the CSRF token.
>>>
>>> Is there a safe way to avoid CSRF tokens in  my Django project?
>>>
>>> Regards,
>>>   Thomas
>>>
>>> -- 
>>> You received this message because you are subscribed to the Google 
>>> Groups "Django users" group.
>>> To unsubscribe from this group and stop receiving emails from it, send 
>>> an email to django...@googlegroups.com .
>>> To view this discussion on the web visit 
>>> https://groups.google.com/d/msgid/django-users/487c7392-e874-4a1e-a1ff-488ab933ae42%40googlegroups.com
>>>  
>>> <https://groups.google.com/d/msgid/django-users/487c7392-e874-4a1e-a1ff-488ab933ae42%40googlegroups.com?utm_medium=email&utm_source=footer>
>>> .
>>>
>> -- 
>> You received this message because you are subscribed to the Google Groups 
>> "Django users" group.
>> To unsubscribe from this group and stop receiving emails from it, send an 
>> email to django...@googlegroups.com .
>> To view this discussion on the web visit 
>> https://groups.google.com/d/msgid/django-users/CAK4qSCeO0bkxsGYFc7t-V7%2BZnr965gYAG0oALB0ELtoJjojedg%40mail.gmail.com
>>  
>> <https://groups.google.com/d/msgid/django-users/CAK4qSCeO0bkxsGYFc7t-V7%2BZnr965gYAG0oALB0ELtoJjojedg%40mail.gmail.com?utm_medium=email&utm_source=footer>
>> .
>>
>
>
> -- 
> Dave Merrick
>
> TutorInvercargill
>
> http://tutorinvercargill.co.nz
>
> Daves Web Designs
>
> Website http://www.daveswebdesigns.co.nz
>
> Email merri...@gmail.com 
>
> Ph   03 216 2053
>
> Cell 027 3089 169
>

-- 
You received this message because you are subscribed to the Google Groups 
"Django users" group.
To unsubscribe from this group and stop receiving emails from it, send an email 
to django-users+unsubscr...@googlegroups.com.
To view this discussion on the web visit 
https://groups.google.com/d/msgid/django-users/c33f7b81-2e74-480c-b1fe-acd5f28468ac%40googlegroups.com.

Re: CSRF token still needed today?

2020-04-20 Thread David Merrick

if you want cross site forgery requests get rid off it

On Mon, Apr 20, 2020 at 10:45 PM Andréas Kühne 
wrote:

> Why is it a problem to have? You add one specific command on all forms -
> or you disable it in the view
>
> What do you want to accomplish by removing it?
>
> Regards,
>
> Andréas
>
>
> Den sön 19 apr. 2020 kl 22:12 skrev guettli <
> guettli.goo...@thomas-guettler.de>:
>
>> iI look at this page: https://docs.djangoproject.com/en/3.0/ref/csrf/
>> ... and then I look at this page: https://scotthelme.co.uk/csrf-is-dead/
>>
>> Is a CSRF token still needed today?
>>
>> All my users use a modern browser.
>>
>> It would be very nice if I could get rid of the CSRF token.
>>
>> Is there a safe way to avoid CSRF tokens in  my Django project?
>>
>> Regards,
>>   Thomas
>>
>> --
>> You received this message because you are subscribed to the Google Groups
>> "Django users" group.
>> To unsubscribe from this group and stop receiving emails from it, send an
>> email to django-users+unsubscr...@googlegroups.com.
>> To view this discussion on the web visit
>> https://groups.google.com/d/msgid/django-users/487c7392-e874-4a1e-a1ff-488ab933ae42%40googlegroups.com
>> <https://groups.google.com/d/msgid/django-users/487c7392-e874-4a1e-a1ff-488ab933ae42%40googlegroups.com?utm_medium=email&utm_source=footer>
>> .
>>
> --
> You received this message because you are subscribed to the Google Groups
> "Django users" group.
> To unsubscribe from this group and stop receiving emails from it, send an
> email to django-users+unsubscr...@googlegroups.com.
> To view this discussion on the web visit
> https://groups.google.com/d/msgid/django-users/CAK4qSCeO0bkxsGYFc7t-V7%2BZnr965gYAG0oALB0ELtoJjojedg%40mail.gmail.com
> <https://groups.google.com/d/msgid/django-users/CAK4qSCeO0bkxsGYFc7t-V7%2BZnr965gYAG0oALB0ELtoJjojedg%40mail.gmail.com?utm_medium=email&utm_source=footer>
> .
>


-- 
Dave Merrick

TutorInvercargill

http://tutorinvercargill.co.nz

Daves Web Designs

Website http://www.daveswebdesigns.co.nz

Email merrick...@gmail.com

Ph   03 216 2053

Cell 027 3089 169

-- 
You received this message because you are subscribed to the Google Groups 
"Django users" group.
To unsubscribe from this group and stop receiving emails from it, send an email 
to django-users+unsubscr...@googlegroups.com.
To view this discussion on the web visit 
https://groups.google.com/d/msgid/django-users/CA%2B%3DMcKa3X4o%3DEVkXvEpBaaCsVc8XKV7k-hDi9DXXEDJ%3Dxei44g%40mail.gmail.com.

Re: CSRF token still needed today?

2020-04-20 Thread Andréas Kühne

Why is it a problem to have? You add one specific command on all forms - or
you disable it in the view

What do you want to accomplish by removing it?

Regards,

Andréas


Den sön 19 apr. 2020 kl 22:12 skrev guettli <
guettli.goo...@thomas-guettler.de>:

> iI look at this page: https://docs.djangoproject.com/en/3.0/ref/csrf/
> ... and then I look at this page: https://scotthelme.co.uk/csrf-is-dead/
>
> Is a CSRF token still needed today?
>
> All my users use a modern browser.
>
> It would be very nice if I could get rid of the CSRF token.
>
> Is there a safe way to avoid CSRF tokens in  my Django project?
>
> Regards,
>   Thomas
>
> --
> You received this message because you are subscribed to the Google Groups
> "Django users" group.
> To unsubscribe from this group and stop receiving emails from it, send an
> email to django-users+unsubscr...@googlegroups.com.
> To view this discussion on the web visit
> https://groups.google.com/d/msgid/django-users/487c7392-e874-4a1e-a1ff-488ab933ae42%40googlegroups.com
> <https://groups.google.com/d/msgid/django-users/487c7392-e874-4a1e-a1ff-488ab933ae42%40googlegroups.com?utm_medium=email&utm_source=footer>
> .
>

-- 
You received this message because you are subscribed to the Google Groups 
"Django users" group.
To unsubscribe from this group and stop receiving emails from it, send an email 
to django-users+unsubscr...@googlegroups.com.
To view this discussion on the web visit 
https://groups.google.com/d/msgid/django-users/CAK4qSCeO0bkxsGYFc7t-V7%2BZnr965gYAG0oALB0ELtoJjojedg%40mail.gmail.com.

Re: CSRF token still needed today?

2020-04-19 Thread Alex Heyden

Django supports samesite on session cookies now, and it's on (set to lax)
by default. Whether or not that completely covers your surface risk to CSRF
attacks is a somewhat different question.

On Sun, Apr 19, 2020 at 3:12 PM guettli 
wrote:

> iI look at this page: https://docs.djangoproject.com/en/3.0/ref/csrf/
> ... and then I look at this page: https://scotthelme.co.uk/csrf-is-dead/
>
> Is a CSRF token still needed today?
>
> All my users use a modern browser.
>
> It would be very nice if I could get rid of the CSRF token.
>
> Is there a safe way to avoid CSRF tokens in  my Django project?
>
> Regards,
>   Thomas
>
> --
> You received this message because you are subscribed to the Google Groups
> "Django users" group.
> To unsubscribe from this group and stop receiving emails from it, send an
> email to django-users+unsubscr...@googlegroups.com.
> To view this discussion on the web visit
> https://groups.google.com/d/msgid/django-users/487c7392-e874-4a1e-a1ff-488ab933ae42%40googlegroups.com
> <https://groups.google.com/d/msgid/django-users/487c7392-e874-4a1e-a1ff-488ab933ae42%40googlegroups.com?utm_medium=email&utm_source=footer>
> .
>

-- 
You received this message because you are subscribed to the Google Groups 
"Django users" group.
To unsubscribe from this group and stop receiving emails from it, send an email 
to django-users+unsubscr...@googlegroups.com.
To view this discussion on the web visit 
https://groups.google.com/d/msgid/django-users/CA%2Bv0ZYX_UaskL%2BGXjusNreEQp6mkwu71k_qZsz2NCQ1ur8LVDA%40mail.gmail.com.

Re: CSRF token still needed today?

2020-04-19 Thread Jorge Gimeno

On Sun, Apr 19, 2020 at 1:12 PM guettli 
wrote:

> iI look at this page: https://docs.djangoproject.com/en/3.0/ref/csrf/
> ... and then I look at this page: https://scotthelme.co.uk/csrf-is-dead/
>
> Is a CSRF token still needed today?
>
> All my users use a modern browser.
>
> It would be very nice if I could get rid of the CSRF token.
>
> Is there a safe way to avoid CSRF tokens in  my Django project?
>
> Regards,
>   Thomas
>
> --
> You received this message because you are subscribed to the Google Groups
> "Django users" group.
> To unsubscribe from this group and stop receiving emails from it, send an
> email to django-users+unsubscr...@googlegroups.com.
> To view this discussion on the web visit
> https://groups.google.com/d/msgid/django-users/487c7392-e874-4a1e-a1ff-488ab933ae42%40googlegroups.com
> <https://groups.google.com/d/msgid/django-users/487c7392-e874-4a1e-a1ff-488ab933ae42%40googlegroups.com?utm_medium=email&utm_source=footer>
> .
>

For my projects, I am going to keep CSRF tokens. The time taken to put one
in a template is minimal, and I don't run the risk of turning off CSRF
somewhere and having that be the reason for an incident.

-Jorge

-- 
You received this message because you are subscribed to the Google Groups 
"Django users" group.
To unsubscribe from this group and stop receiving emails from it, send an email 
to django-users+unsubscr...@googlegroups.com.
To view this discussion on the web visit 
https://groups.google.com/d/msgid/django-users/CANfN%3DK_PepV5HtWE34W-7CR-cQiPTsyv%2BTM5JNA7b7iocH0Uow%40mail.gmail.com.

CSRF token still needed today?

2020-04-19 Thread guettli

iI look at this page: https://docs.djangoproject.com/en/3.0/ref/csrf/
... and then I look at this page: https://scotthelme.co.uk/csrf-is-dead/

Is a CSRF token still needed today?

All my users use a modern browser.

It would be very nice if I could get rid of the CSRF token.

Is there a safe way to avoid CSRF tokens in  my Django project?

Regards,
  Thomas

-- 
You received this message because you are subscribed to the Google Groups 
"Django users" group.
To unsubscribe from this group and stop receiving emails from it, send an email 
to django-users+unsubscr...@googlegroups.com.
To view this discussion on the web visit 
https://groups.google.com/d/msgid/django-users/487c7392-e874-4a1e-a1ff-488ab933ae42%40googlegroups.com.

Re: CSRF token still needed today?

Re: CSRF token still needed today?

Re: CSRF token still needed today?

Re: CSRF token still needed today?

Re: CSRF token still needed today?

Re: CSRF token still needed today?

Re: CSRF token still needed today?

Re: CSRF token still needed today?

Re: CSRF token still needed today?

CSRF token still needed today?

10 matches

Site Navigation

Mail list logo

Footer information