Re: How to rename crfstoken

[Russell Keith-Magee]

Hi Vermus,

Yes, the form value is currently hard coded.

I can't think of any particular reason that this shouldn't be configurable
though. If you're looking to get into Django development, it would be a
fairly easy feature to contribute - there isn't that much code required to
implement the change, and the docs and tests will be pretty straightforward.

Yours,
Russ Magee %-)

On Tue, Apr 28, 2015 at 5:27 PM, Vermus  wrote:

>
> ok, i renamed cookie name,
> but what about rename input name "csrfmiddlewaretoken" of {% csrf_token %}
> ?
>
> as i see it is harcoded?
>
> http://stackoverflow.com/questions/27087626/rename-csrfmiddlewaretoken
>
>
> вторник, 28 апреля 2015 г., 11:28:36 UTC+3 пользователь Vermus написал:
>>
>>
>> Oh, I missed this setting, stupid (i think, it is new for me, i'm using
>> django since 1.0)
>> thank you!
>>
>>
>>>
>>>  --
> You received this message because you are subscribed to the Google Groups
> "Django users" group.
> To unsubscribe from this group and stop receiving emails from it, send an
> email to django-users+unsubscr...@googlegroups.com.
> To post to this group, send email to django-users@googlegroups.com.
> Visit this group at http://groups.google.com/group/django-users.
> To view this discussion on the web visit
> https://groups.google.com/d/msgid/django-users/52f0c198-fb37-4389-9da8-34ce18cb6625%40googlegroups.com
> 
> .
>
> For more options, visit https://groups.google.com/d/optout.
>

-- 
You received this message because you are subscribed to the Google Groups 
"Django users" group.
To unsubscribe from this group and stop receiving emails from it, send an email 
to django-users+unsubscr...@googlegroups.com.
To post to this group, send email to django-users@googlegroups.com.
Visit this group at http://groups.google.com/group/django-users.
To view this discussion on the web visit 
https://groups.google.com/d/msgid/django-users/CAJxq84-NvvNd%3Dji-eE5L_C0Owz0MGrjCvu8Ox_X0q0%3DoiBxRFQ%40mail.gmail.com.
For more options, visit https://groups.google.com/d/optout.

Re: How to rename crfstoken

[Vermus]

ok, i renamed cookie name,
but what about rename input name "csrfmiddlewaretoken" of {% csrf_token %}?

as i see it is harcoded?

http://stackoverflow.com/questions/27087626/rename-csrfmiddlewaretoken


вторник, 28 апреля 2015 г., 11:28:36 UTC+3 пользователь Vermus написал:
>
>
> Oh, I missed this setting, stupid (i think, it is new for me, i'm using 
> django since 1.0)
> thank you!
>
>
>>
>>

-- 
You received this message because you are subscribed to the Google Groups 
"Django users" group.
To unsubscribe from this group and stop receiving emails from it, send an email 
to django-users+unsubscr...@googlegroups.com.
To post to this group, send email to django-users@googlegroups.com.
Visit this group at http://groups.google.com/group/django-users.
To view this discussion on the web visit 
https://groups.google.com/d/msgid/django-users/52f0c198-fb37-4389-9da8-34ce18cb6625%40googlegroups.com.
For more options, visit https://groups.google.com/d/optout.

Re: How to rename crfstoken

[Vermus]

Oh, I missed this setting, stupid (i think, it is new for me, i'm using 
django since 1.0)
thank you!


вторник, 28 апреля 2015 г., 10:51:11 UTC+3 пользователь Russell Keith-Magee 
написал:
>
> Hi Vermus,
>
> Calling this a security "breach" is a bit inaccurate; but I certainly 
> agree that it is good practice to make the framework undetectable from the 
> client side.
>
> That's why there's a setting that does exactly what you suggest:
>
> https://docs.djangoproject.com/en/1.8/ref/settings/#csrf-cookie-name
>
> Yours,
> Russ Magee %-)
>
>
>
>

-- 
You received this message because you are subscribed to the Google Groups 
"Django users" group.
To unsubscribe from this group and stop receiving emails from it, send an email 
to django-users+unsubscr...@googlegroups.com.
To post to this group, send email to django-users@googlegroups.com.
Visit this group at http://groups.google.com/group/django-users.
To view this discussion on the web visit 
https://groups.google.com/d/msgid/django-users/1f957667-00f1-424d-a5d2-92c1fe20989c%40googlegroups.com.
For more options, visit https://groups.google.com/d/optout.

Re: How to rename crfstoken

[Russell Keith-Magee]

Hi Vermus,

Calling this a security "breach" is a bit inaccurate; but I certainly agree
that it is good practice to make the framework undetectable from the client
side.

That's why there's a setting that does exactly what you suggest:

https://docs.djangoproject.com/en/1.8/ref/settings/#csrf-cookie-name

Yours,
Russ Magee %-)


On Tue, Apr 28, 2015 at 3:27 PM, Vermus  wrote:

> Hi, i found, that my site is detected by
> http://trends.builtwith.com/framework/Django-CSRF by crfstoken header.
> I think, it's security breach, when users know what framework is used on
> server side.
> There must have such web server tuning, that no one can detect framework
> and server side programming language.
>
> --
> You received this message because you are subscribed to the Google Groups
> "Django users" group.
> To unsubscribe from this group and stop receiving emails from it, send an
> email to django-users+unsubscr...@googlegroups.com.
> To post to this group, send email to django-users@googlegroups.com.
> Visit this group at http://groups.google.com/group/django-users.
> To view this discussion on the web visit
> https://groups.google.com/d/msgid/django-users/768a1d03-e749-428a-8094-4a2d2f27e873%40googlegroups.com
> 
> .
> For more options, visit https://groups.google.com/d/optout.
>

-- 
You received this message because you are subscribed to the Google Groups 
"Django users" group.
To unsubscribe from this group and stop receiving emails from it, send an email 
to django-users+unsubscr...@googlegroups.com.
To post to this group, send email to django-users@googlegroups.com.
Visit this group at http://groups.google.com/group/django-users.
To view this discussion on the web visit 
https://groups.google.com/d/msgid/django-users/CAJxq84_eWoKaAwpYWeGkMa%3DZMFNAh3Qxe0REqBtydDRPYRpBmA%40mail.gmail.com.
For more options, visit https://groups.google.com/d/optout.