Opened 2 years ago
Last modified 2 years ago
#33836 closed Bug
Incompatible default setting for CSRF_HEADER_NAME — at Initial Version
| Reported by: | Matías Santurio | Owned by: | Matías Santurio |
|---|---|---|---|
| Component: | CSRF | Version: | 4.0 |
| Severity: | Normal | Keywords: | CSRF settings |
| Cc: | Triage Stage: | Unreviewed | |
| Has patch: | no | Needs documentation: | no |
| Needs tests: | no | Patch needs improvement: | no |
| Easy pickings: | no | UI/UX: | no |
Description
The default setting for CSRF_HEADER_NAME is 'HTTP_X_CSRFTOKEN' which is incompatible with modern web application servers (including django development server), this is because it includes an underscore, which these servers don't allow since it can lead to 'header-spoofing'.
Note:
See TracTickets
for help on using tickets.