How to rename crfstoken

[Vermus]

Hi, i found, that my site is detected by http://trends.builtwith.com/framework/Django-CSRF by crfstoken header.

I think, it's security breach, when users know what framework is used on server side.

There must have such web server tuning, that no one can detect framework and server side programming language.

[Russell Keith-Magee]

Hi Vermus,

Calling this a security "breach" is a bit inaccurate; but I certainly agree that it is good practice to make the framework undetectable from the client side.

That's why there's a setting that does exactly what you suggest:

https://docs.djangoproject.com/en/1.8/ref/settings/#csrf-cookie-name

Yours,

Russ Magee %-)

--
You received this message because you are subscribed to the Google Groups "Django users" group.
To unsubscribe from this group and stop receiving emails from it, send an email to django-users...@googlegroups.com.
To post to this group, send email to django...@googlegroups.com.
Visit this group at http://groups.google.com/group/django-users.
To view this discussion on the web visit https://groups.google.com/d/msgid/django-users/768a1d03-e749-428a-8094-4a2d2f27e873%40googlegroups.com.
For more options, visit https://groups.google.com/d/optout.

[Vermus]

Oh, I missed this setting, stupid (i think, it is new for me, i'm using django since 1.0)

thank you!

вторник, 28 апреля 2015 г., 10:51:11 UTC+3 пользователь Russell Keith-Magee написал:

[Vermus]

ok, i renamed cookie name,

but what about rename input name "csrfmiddlewaretoken" of {% csrf_token %}?

as i see it is harcoded?

http://stackoverflow.com/questions/27087626/rename-csrfmiddlewaretoken

вторник, 28 апреля 2015 г., 11:28:36 UTC+3 пользователь Vermus написал:

[Russell Keith-Magee]

Hi Vermus,

Yes, the form value is currently hard coded. 

I can't think of any particular reason that this shouldn't be configurable though. If you're looking to get into Django development, it would be a fairly easy feature to contribute - there isn't that much code required to implement the change, and the docs and tests will be pretty straightforward.

Yours,

Russ Magee %-)

--
You received this message because you are subscribed to the Google Groups "Django users" group.
To unsubscribe from this group and stop receiving emails from it, send an email to django-users...@googlegroups.com.
To post to this group, send email to django...@googlegroups.com.
Visit this group at http://groups.google.com/group/django-users.

To view this discussion on the web visit https://groups.google.com/d/msgid/django-users/52f0c198-fb37-4389-9da8-34ce18cb6625%40googlegroups.com.