Django 1.2 and Cross Site Request Forgery

[Steve Bywater]

One of the things that attracted me to django was it's built-in
support for many things like CSRF protection. I've been working under
the assumption that my production code is safe in that regard, site
wide.

If you have the same assumption, check out http://djangoadvent.com/1.2/django-12-and-csrf/,
which offers a good background in CSRF protection in django, why it
wasn't up to snuff, and how it is now better. But more importantly, it
wasn't until reading it that I discovered I now have to add {%
csrf_token %} to any form on which you want to have CSRF protection.

[mdipierro]

web2py does this since 2008 and all forms generated by web2py (FORM,
SQLFORM, crud.*) do this by default without you having to insert any
token.

Massimo

On Jul 14, 4:13 pm, Steve Bywater <stephen.bywa...@gmail.com> wrote:
> One of the things that attracted me to django was it's built-in
> support for many things like CSRF protection. I've been working under
> the assumption that my production code is safe in that regard, site
> wide.
>

> If you have the same assumption, check outhttp://djangoadvent.com/1.2/django-12-and-csrf/,