Re: Making sure Web APIs built with Django don't have CSRF vulnerabilities.

I don't know how much of an issue it really is (or not), but I haven't really seen it being done right. Of all the examples I've found of devs implementing session authentication on top of piston and tastypie, (See here

Re: Making sure Web APIs built with Django don't have CSRF vulnerabilities.

>> One idea to mitigating this in Django core that I've considered would be >> introducing a '@csrf_defered' decorator > Practically speaking, I think this might be ok and would cover the > majority of real cases. But at the very least it means that this > decorator should live in contrib.sessions

Re: Making sure Web APIs built with Django don't have CSRF vulnerabilities.

Hi Tom, Thanks for raising this. On 03/14/2012 11:20 AM, Tom Christie wrote: [snip] > One idea to mitigating this in Django core that I've considered would be > introducing a '@csrf_defered' decorator, that would act like > '@csrf_exempt', but wrap request.session in a lazily evaluated > '@csrf_p

Making sure Web APIs built with Django don't have CSRF vulnerabilities.

Hi all, This is a follow on to an issue that's been discussed on django-security. It's been suggested that it should be raised in this forum instead, so... Most of the time when building Web APIs with Django the right thing to do is to wrap API views in @csrf_exempt. Generally Web APIs shou