Opened 7 weeks ago
Last modified 8 days ago
#35796 closed New feature
Add setting to sign CSRF cookie — at Initial Version
| Reported by: | Benjamin Zagorsky | Owned by: | |
|---|---|---|---|
| Component: | CSRF | Version: | dev |
| Severity: | Normal | Keywords: | csrf cookie signing |
| Cc: | Triage Stage: | Unreviewed | |
| Has patch: | no | Needs documentation: | no |
| Needs tests: | no | Patch needs improvement: | no |
| Easy pickings: | no | UI/UX: | no |
Description
Django should have a setting CSRF_COOKIE_SIGNED that uses the cookie signing infrastructure to sign the CSRF cookie. This would enable sites running on a subdomain of a shared domain name (ex. [SUBDOMAIN].herokuapp.com) to have protection from cookie tampering (reducing the caveat currently under https://docs.djangoproject.com/en/5.1/ref/csrf/#csrf-limitations).
This setting should initially default to False for backwards comparability, although this could be changed in a future major release.
Note:
See TracTickets
for help on using tickets.