CSRF token still needed today?
88 views
Skip to first unread message
guettli
Apr 19, 2020, 4:11:33 PM4/19/20
to Django users
iI look at this page: https://docs.djangoproject.com/en/3.0/ref/csrf/
... and then I look at this page: https://scotthelme.co.uk/csrf-is-dead/
Is a CSRF token still needed today?
All my users use a modern browser.
It would be very nice if I could get rid of the CSRF token.
Is there a safe way to avoid CSRF tokens in my Django project?
Regards,
Thomas
Jorge Gimeno
Apr 19, 2020, 4:24:29 PM4/19/20
to django...@googlegroups.com
--
You received this message because you are subscribed to the Google Groups "Django users" group.
To unsubscribe from this group and stop receiving emails from it, send an email to django-users...@googlegroups.com.
To view this discussion on the web visit https://groups.google.com/d/msgid/django-users/487c7392-e874-4a1e-a1ff-488ab933ae42%40googlegroups.com.
For my projects, I am going to keep CSRF tokens. The time taken to put one in a template is minimal, and I don't run the risk of turning off CSRF somewhere and having that be the reason for an incident.
-Jorge
Alex Heyden
Apr 19, 2020, 5:11:59 PM4/19/20
to django...@googlegroups.com
Django supports samesite on session cookies now, and it's on (set to lax) by default. Whether or not that completely covers your surface risk to CSRF attacks is a somewhat different question.
Andréas Kühne
Apr 20, 2020, 6:46:14 AM4/20/20
to django...@googlegroups.com
Why is it a problem to have? You add one specific command on all forms - or you disable it in the view....
What do you want to accomplish by removing it?
Regards,
Andréas
David Merrick
Apr 20, 2020, 8:43:10 AM4/20/20
to django...@googlegroups.com
if you want cross site forgery requests get rid off it
To view this discussion on the web visit https://groups.google.com/d/msgid/django-users/CAK4qSCeO0bkxsGYFc7t-V7%2BZnr965gYAG0oALB0ELtoJjojedg%40mail.gmail.com.
Dave Merrick
TutorInvercargill
Cell 027 3089 169
guettli
Apr 21, 2020, 2:16:09 PM4/21/20
to Django users
Hi David, could you please explain how cross site forgery requests can happen
with the current default for cookies (SameSite=Lax)?
Am Montag, 20. April 2020 14:43:10 UTC+2 schrieb David Merrick:
if you want cross site forgery requests get rid off it
On Mon, Apr 20, 2020 at 10:45 PM Andréas Kühne <andrea...@hypercode.se> wrote:
Why is it a problem to have? You add one specific command on all forms - or you disable it in the view....What do you want to accomplish by removing it?Regards,Andréas
Den sön 19 apr. 2020 kl 22:12 skrev guettli <guettl...@thomas-guettler.de>:
iI look at this page: https://docs.djangoproject.com/en/3.0/ref/csrf/--... and then I look at this page: https://scotthelme.co.uk/csrf-is-dead/Is a CSRF token still needed today?All my users use a modern browser.It would be very nice if I could get rid of the CSRF token.Is there a safe way to avoid CSRF tokens in my Django project?Regards,Thomas
You received this message because you are subscribed to the Google Groups "Django users" group.
To unsubscribe from this group and stop receiving emails from it, send an email to django...@googlegroups.com.
To view this discussion on the web visit https://groups.google.com/d/msgid/django-users/487c7392-e874-4a1e-a1ff-488ab933ae42%40googlegroups.com.
--
You received this message because you are subscribed to the Google Groups "Django users" group.
To unsubscribe from this group and stop receiving emails from it, send an email to django...@googlegroups.com.
To view this discussion on the web visit https://groups.google.com/d/msgid/django-users/CAK4qSCeO0bkxsGYFc7t-V7%2BZnr965gYAG0oALB0ELtoJjojedg%40mail.gmail.com.
guettli
Apr 21, 2020, 2:17:22 PM4/21/20
to Django users
Hi Andreas. I try to avoid doing things which are not needed. Some call
doing things which are not needed "useless", some even call it "stupid", but that's rude.
Am Montag, 20. April 2020 12:46:14 UTC+2 schrieb Andréas Kühne:
Why is it a problem to have? You add one specific command on all forms - or you disable it in the view....What do you want to accomplish by removing it?Regards,Andréas
Den sön 19 apr. 2020 kl 22:12 skrev guettli <guettl...@thomas-guettler.de>:
iI look at this page: https://docs.djangoproject.com/en/3.0/ref/csrf/--... and then I look at this page: https://scotthelme.co.uk/csrf-is-dead/Is a CSRF token still needed today?All my users use a modern browser.It would be very nice if I could get rid of the CSRF token.Is there a safe way to avoid CSRF tokens in my Django project?Regards,Thomas
You received this message because you are subscribed to the Google Groups "Django users" group.
To unsubscribe from this group and stop receiving emails from it, send an email to django...@googlegroups.com.
guettli
Apr 21, 2020, 2:18:31 PM4/21/20
to Django users
Am Sonntag, 19. April 2020 23:11:59 UTC+2 schrieb Alex Heyden:
Django supports samesite on session cookies now, and it's on (set to lax) by default. Whether or not that completely covers your surface risk to CSRF attacks is a somewhat different question.
AFAIK they can not happen. But I am not an expert in this area.
Does somebody know if CSRF attacks can happen with SameSite=Lax cookies?
Kenny Loveall
Apr 21, 2020, 3:01:28 PM4/21/20
to django...@googlegroups.com
The original blog post you posted seems to answer this question. Further it states "It's going to be a long time until we can consider removing traditional anti-CSRF mechanisms but adding SameSite on top of those gives us an incredibly robust defence." Like most things in security, I think this is an "in addition to" instead of "in place of." At least until all browsers support it (and that can be guaranteed by some mechanism).
For me personally the cost of keeping/adding them in is really low since Django handles the recordkeeping and validation. However, if you have a specific use case where a) you can guarantee everyone is using a compatible browser and b) CSRF tokens are difficult to implement for some reason, I think it's relatively reasonable to drop requiring them. This is also assuming that your site doesn't do anything that makes it a high value target for attackers (such as financial transactions, etc.). If any of these are not true, I would personally leave the protections in place.
--
You received this message because you are subscribed to the Google Groups "Django users" group.
To unsubscribe from this group and stop receiving emails from it, send an email to django-users...@googlegroups.com.
To view this discussion on the web visit https://groups.google.com/d/msgid/django-users/84e032ab-f78b-41f8-879f-38e623269910%40googlegroups.com.
David Merrick
Apr 21, 2020, 3:49:31 PM4/21/20
to django...@googlegroups.com
Hi if you have an url with stuff?Stuff=Stuff the URL can be changed.
See the link below.
To unsubscribe from this group and stop receiving emails from it, send an email to django-users...@googlegroups.com.
To view this discussion on the web visit https://groups.google.com/d/msgid/django-users/c33f7b81-2e74-480c-b1fe-acd5f28468ac%40googlegroups.com.
Reply all
Reply to author
Forward
0 new messages