Incompatible default setting for CSRF_HEADER_NAME
— at Version 4
The default setting for CSRF_HEADER_NAME is 'HTTP_X_CSRFTOKEN' which is incompatible with modern web application servers (including django development server), this is because it includes an underscore, which these servers don't allow since it can lead to 'header-spoofing'.
I found this on 4.0 but it's present in 4.1 and dev as well.
Change History
(4)
Owner: |
changed from Matías Santurio to Matías Santurio
|
Resolution: |
→ fixed
|
Status: |
assigned → closed
|
Description: |
modified (diff)
|
Description: |
modified (diff)
|