[Django] #33836: Incompatible default setting for CSRF_HEADER_NAME

[Django]

#33836: Incompatible default setting for CSRF_HEADER_NAME
-------------------------------------+-------------------------------------
Reporter: Matías | Owner: Matías Santurio
Santurio |
Type: Bug | Status: assigned
Component: CSRF | Version: 4.0
Severity: Normal | Keywords: CSRF settings
Triage Stage: | Has patch: 0
Unreviewed |
Needs documentation: 0 | Needs tests: 0
Patch needs improvement: 0 | Easy pickings: 0
UI/UX: 0 |
-------------------------------------+-------------------------------------
The default setting for CSRF_HEADER_NAME is 'HTTP_X_CSRFTOKEN' which is
incompatible with modern web application servers (including django
development server), this is because it includes an underscore, which
these servers don't allow since it can lead to 'header-spoofing'.

--
Ticket URL: <https://code.djangoproject.com/ticket/33836>
Django <https://code.djangoproject.com/>
The Web framework for perfectionists with deadlines.

[Django]

#33836: Incompatible default setting for CSRF_HEADER_NAME
-------------------------------------+-------------------------------------

Reporter: Matías Santurio | Owner: Matías

| Santurio
Type: Bug | Status: assigned
Component: CSRF | Version: 4.0

Severity: Normal | Resolution:

Keywords: CSRF settings | Triage Stage:

| Unreviewed
Has patch: 0 | Needs documentation: 0

Needs tests: 0 | Patch needs improvement: 0
Easy pickings: 0 | UI/UX: 0
-------------------------------------+-------------------------------------

Changes (by Matías Santurio):

* owner: Matías Santurio => Matías Santurio

--
Ticket URL: <https://code.djangoproject.com/ticket/33836#comment:1>

[Django]

#33836: Incompatible default setting for CSRF_HEADER_NAME
-------------------------------------+-------------------------------------
Reporter: Matías Santurio | Owner: Matías
| Santurio

Type: Bug | Status: closed
Component: CSRF | Version: 4.0
Severity: Normal | Resolution: fixed

Keywords: CSRF settings | Triage Stage:
| Unreviewed
Has patch: 0 | Needs documentation: 0
Needs tests: 0 | Patch needs improvement: 0
Easy pickings: 0 | UI/UX: 0
-------------------------------------+-------------------------------------
Changes (by Matías Santurio):

* status: assigned => closed
* resolution: => fixed

--
Ticket URL: <https://code.djangoproject.com/ticket/33836#comment:2>

[Django]

#33836: Incompatible default setting for CSRF_HEADER_NAME
-------------------------------------+-------------------------------------
Reporter: Matías Santurio | Owner: Matías
| Santurio
Type: Bug | Status: closed
Component: CSRF | Version: 4.0
Severity: Normal | Resolution: fixed
Keywords: CSRF settings | Triage Stage:
| Unreviewed
Has patch: 0 | Needs documentation: 0
Needs tests: 0 | Patch needs improvement: 0
Easy pickings: 0 | UI/UX: 0
-------------------------------------+-------------------------------------

Description changed by Matías Santurio:

Old description:

> The default setting for CSRF_HEADER_NAME is 'HTTP_X_CSRFTOKEN' which is
> incompatible with modern web application servers (including django
> development server), this is because it includes an underscore, which
> these servers don't allow since it can lead to 'header-spoofing'.

New description:

The default setting for CSRF_HEADER_NAME is 'HTTP_X_CSRFTOKEN' which is
incompatible with modern web application servers (including django
development server), this is because it includes an underscore, which
these servers don't allow since it can lead to 'header-spoofing'.

I found this on 4.0 but it's present in 4.1 and dev aswell.

--

--
Ticket URL: <https://code.djangoproject.com/ticket/33836#comment:3>

[Django]

#33836: Incompatible default setting for CSRF_HEADER_NAME
-------------------------------------+-------------------------------------
Reporter: Matías Santurio | Owner: Matías
| Santurio
Type: Bug | Status: closed
Component: CSRF | Version: 4.0
Severity: Normal | Resolution: fixed
Keywords: CSRF settings | Triage Stage:
| Unreviewed
Has patch: 0 | Needs documentation: 0
Needs tests: 0 | Patch needs improvement: 0
Easy pickings: 0 | UI/UX: 0
-------------------------------------+-------------------------------------
Description changed by Matías Santurio:

Old description:

> The default setting for CSRF_HEADER_NAME is 'HTTP_X_CSRFTOKEN' which is
> incompatible with modern web application servers (including django
> development server), this is because it includes an underscore, which
> these servers don't allow since it can lead to 'header-spoofing'.
>

> I found this on 4.0 but it's present in 4.1 and dev aswell.

New description:

The default setting for CSRF_HEADER_NAME is 'HTTP_X_CSRFTOKEN' which is
incompatible with modern web application servers (including django
development server), this is because it includes an underscore, which
these servers don't allow since it can lead to 'header-spoofing'.

I found this on 4.0 but it's present in 4.1 and dev as well.

--

--
Ticket URL: <https://code.djangoproject.com/ticket/33836#comment:4>

[Django]

#33836: Incompatible default setting for CSRF_HEADER_NAME
-------------------------------------+-------------------------------------
Reporter: Matías Santurio | Owner: Matías
| Santurio
Type: Bug | Status: closed
Component: CSRF | Version: 4.0

Severity: Normal | Resolution: invalid

Keywords: CSRF settings | Triage Stage:
| Unreviewed
Has patch: 0 | Needs documentation: 0
Needs tests: 0 | Patch needs improvement: 0
Easy pickings: 0 | UI/UX: 0
-------------------------------------+-------------------------------------

Changes (by Matías Santurio):

* resolution: fixed => invalid

--
Ticket URL: <https://code.djangoproject.com/ticket/33836#comment:5>