Opened 15 years ago

Closed 15 years ago

Last modified 6 years ago

#12738 closed Cleanup/optimization (wontfix)

CSRF token name should be a configurable setting

Reported by: German M. Bravo Owned by: nobody
Component: CSRF Version:
Severity: Normal Keywords:
Cc: German M. Bravo Triage Stage: Unreviewed
Has patch: no Needs documentation: no
Needs tests: no Patch needs improvement: no
Easy pickings: no UI/UX: no

Description

The CSRF token name ('csrfmiddlewaretoken') should perhaps be configurable, for security reasons if not anything else...

Attachments (1)

#12738-csrf_token_url_name_configurable.diff (2.1 KB ) - added by German M. Bravo 12 years ago.

Download all attachments as: .zip

Change History (6)

comment:1 by Luke Plant, 15 years ago

I don't understand why that would improve security. The security lies in the value of the token, not the name. Most CSRF attacks are going to be per-site, and a setting would be per-site. Also, if an attacker was using a more generic attack against all Django-powered sites, it would be easy to find out what the name of the token is for a specific site - one request to a page that contains a POST form, and you are done, since a simple regex will in most cases find which field 'looks like' a Django CSRF token.

Do you have an actual use case where you need this?

comment:2 by Luke Plant, 15 years ago

Resolution: wontfix
Status: newclosed

No response, so I presume there is no use case, so closing.

comment:3 by Jacob, 13 years ago

milestone: 1.2

Milestone 1.2 deleted

comment:4 by German M. Bravo, 13 years ago

Cc: German M. Bravo added
Easy pickings: unset
Severity: Normal
Type: Uncategorized
UI/UX: unset

by German M. Bravo, 12 years ago

comment:5 by Tim Graham, 6 years ago

Component: UncategorizedCSRF
Type: UncategorizedCleanup/optimization

A PR implemented this with rationale "Wappalyzer identifies Django application with "csrfmiddlewaretoken" input name."

I wrote to django-developers to see if there's consensus to reopen this ticket.

Note: See TracTickets for help on using tickets.
Back to Top