#35796 closed New feature (wontfix)
Add signing support to the CSRF cookie
| Reported by: | Benjamin Zagorsky | Owned by: | |
|---|---|---|---|
| Component: | CSRF | Version: | dev |
| Severity: | Normal | Keywords: | csrf cookie signing |
| Cc: | Triage Stage: | Unreviewed | |
| Has patch: | no | Needs documentation: | no |
| Needs tests: | no | Patch needs improvement: | no |
| Easy pickings: | no | UI/UX: | no |
Description (last modified by )
Django's CSRF middleware should support signing and checking signatures on CSRF cookies. This would enable sites running on a subdomain of a shared domain name (ex. [SUBDOMAIN].herokuapp.com) to have protection from cookie tampering (reducing the caveat currently under https://docs.djangoproject.com/en/5.1/ref/csrf/#csrf-limitations).
In order to do this in a backwards compatible way, Django should have a setting CSRF_COOKIE_SIGNING that takes three settings:
"disabled"(default): CSRF token is not signed, but CSRF middleware accepts both signed and unsigned cookies."lenient": CSRF token is signed, and CSRF middleware accepts both signed and unsigned cookies.-
"strict": CSRF token is signed, and CSRF middleware only accepts signed cookies.
This would enable people to upgrade their systems over two releases with no disruption to users, stepping from "disabled" to "lenient" in one release and "lenient" to "strict" in the second release.
Django forum thread: https://forum.djangoproject.com/t/signing-the-csrf-cookie/35156/3
Change History (3)
follow-up: 3 comment:1 by , 7 weeks ago
| Component: | Core (Other) → CSRF |
|---|---|
| Easy pickings: | unset |
| Keywords: | signing added |
| Resolution: | → wontfix |
| Status: | new → closed |
comment:2 by , 8 days ago
| Description: | modified (diff) |
|---|---|
| Summary: | Add setting to sign CSRF cookie → Add signing support to the CSRF cookie |
comment:3 by , 8 days ago
I've vetted the plan more thoroughly on the Django Forum and have updated the ticket.
Replying to Natalia Bidart:
Hello Benjamin!
Adding a new setting to Django is quite controversial, and something that we try to avoid. Because of that, this requires an explicit agreement with the community. Besides the new setting proposal, I do understand that this report comes along with a new feature request, which would be adding "automatic" CSRF cookie signing to Django. For cases like this, the recommended path forward is to first propose and discuss the idea with the community and gain consensus. To do that, please consider starting a new conversation on the Django Forum, where you'll reach a broader audience and receive additional feedback.
I'll close the ticket for now, but if the community agrees with the proposal, please return to this ticket and reference the forum discussion so we can re-open it. For more information, please refer to the documented guidelines for requesting features.
Thanks!
Hello Benjamin!
Adding a new setting to Django is quite controversial, and something that we try to avoid. Because of that, this requires an explicit agreement with the community. Besides the new setting proposal, I do understand that this report comes along with a new feature request, which would be adding "automatic" CSRF cookie signing to Django. For cases like this, the recommended path forward is to first propose and discuss the idea with the community and gain consensus. To do that, please consider starting a new conversation on the Django Forum, where you'll reach a broader audience and receive additional feedback.
I'll close the ticket for now, but if the community agrees with the proposal, please return to this ticket and reference the forum discussion so we can re-open it. For more information, please refer to the documented guidelines for requesting features.
Thanks!