Add signing support to the CSRF cookie

[Benjamin Zagorsky]

Django's CSRF middleware should support signing and checking signatures on CSRF cookies. This would enable sites running on a subdomain of a shared domain name (ex. [SUBDOMAIN].herokuapp.com) to have protection from cookie tampering (reducing the caveat currently under ​https://docs.djangoproject.com/en/5.1/ref/csrf/#csrf-limitations).

In order to do this in a backwards compatible way, Django should have a setting CSRF_COOKIE_SIGNING that takes three settings:

1. "disabled" (default): CSRF token is not signed, but CSRF middleware accepts both signed and unsigned cookies.
2. "lenient": CSRF token is signed, and CSRF middleware accepts both signed and unsigned cookies.
3. "strict": CSRF token is signed, and CSRF middleware only accepts signed cookies.

This would enable people to upgrade their systems over two releases with no disruption to users, stepping from "disabled" to "lenient" in one release and "lenient" to "strict" in the second release.

Django forum thread: ​https://forum.djangoproject.com/t/signing-the-csrf-cookie/35156/3

[Natalia Bidart]

Hello Benjamin!

Adding a new setting to Django is quite controversial, and something that we try to avoid. Because of that, this requires an explicit agreement with the community. Besides the new setting proposal, I do understand that this report comes along with a new feature request, which would be adding "automatic" CSRF cookie signing to Django. For cases like this, the recommended path forward is to first propose and discuss the idea with the community and gain consensus. To do that, please consider starting a new conversation on the ​Django Forum, where you'll reach a broader audience and receive additional feedback.

I'll close the ticket for now, but if the community agrees with the proposal, please return to this ticket and reference the forum discussion so we can re-open it. For more information, please refer to ​the documented guidelines for requesting features.

Thanks!

[Benjamin Zagorsky]

I've vetted the plan more thoroughly on the Django Forum and have updated the ticket.

Replying to Natalia Bidart:

Hello Benjamin!

Adding a new setting to Django is quite controversial, and something that we try to avoid. Because of that, this requires an explicit agreement with the community. Besides the new setting proposal, I do understand that this report comes along with a new feature request, which would be adding "automatic" CSRF cookie signing to Django. For cases like this, the recommended path forward is to first propose and discuss the idea with the community and gain consensus. To do that, please consider starting a new conversation on the ​Django Forum, where you'll reach a broader audience and receive additional feedback.

I'll close the ticket for now, but if the community agrees with the proposal, please return to this ticket and reference the forum discussion so we can re-open it. For more information, please refer to ​the documented guidelines for requesting features.

Thanks!

[Sarah Boyce]

Thank you for creating the forum discussion and updating the proposal

As you're suggesting adding a new setting, we usually need quite a strong consensus to do this and I don't currently see much engagement on the discussion in favor of the proposal
You might need to bump or promote/share around the discussion to get more thoughts from others