Tuesday, April 21, 2020

Re: CSRF token still needed today?

Hi if you have an url with stuff?Stuff=Stuff the URL can be changed.
See the link below.
https://portswigger.net/web-security/csrf  

On Wed, Apr 22, 2020 at 6:16 AM guettli <guettli.google@thomas-guettler.de> wrote:
Hi David, could you please explain how cross site forgery requests can happen
with the current default for cookies (SameSite=Lax)? 

Am Montag, 20. April 2020 14:43:10 UTC+2 schrieb David Merrick:
if you want cross site forgery requests get rid off it

On Mon, Apr 20, 2020 at 10:45 PM Andréas Kühne <andrea...@hypercode.se> wrote:
Why is it a problem to have? You add one specific command on all forms - or you disable it in the view.... 

What do you want to accomplish by removing it?

Regards,

Andréas


Den sön 19 apr. 2020 kl 22:12 skrev guettli <guettl...@thomas-guettler.de>:
iI look at this page: https://docs.djangoproject.com/en/3.0/ref/csrf/
... and then I look at this page: https://scotthelme.co.uk/csrf-is-dead/

Is a CSRF token still needed today?

All my users use a modern browser.

It would be very nice if I could get rid of the CSRF token.

Is there a safe way to avoid CSRF tokens in  my Django project?

Regards,
  Thomas

--
You received this message because you are subscribed to the Google Groups "Django users" group.
To unsubscribe from this group and stop receiving emails from it, send an email to django...@googlegroups.com.
To view this discussion on the web visit https://groups.google.com/d/msgid/django-users/487c7392-e874-4a1e-a1ff-488ab933ae42%40googlegroups.com.

--
You received this message because you are subscribed to the Google Groups "Django users" group.
To unsubscribe from this group and stop receiving emails from it, send an email to django...@googlegroups.com.
To view this discussion on the web visit https://groups.google.com/d/msgid/django-users/CAK4qSCeO0bkxsGYFc7t-V7%2BZnr965gYAG0oALB0ELtoJjojedg%40mail.gmail.com.


--
Dave Merrick

TutorInvercargill


Email merri...@gmail.com

Ph   03 216 2053

Cell 027 3089 169

--
You received this message because you are subscribed to the Google Groups "Django users" group.
To unsubscribe from this group and stop receiving emails from it, send an email to django-users+unsubscribe@googlegroups.com.
To view this discussion on the web visit https://groups.google.com/d/msgid/django-users/c33f7b81-2e74-480c-b1fe-acd5f28468ac%40googlegroups.com.


--
Dave Merrick

TutorInvercargill


Email merrickdav@gmail.com

Ph   03 216 2053

Cell 027 3089 169

--
You received this message because you are subscribed to the Google Groups "Django users" group.
To unsubscribe from this group and stop receiving emails from it, send an email to django-users+unsubscribe@googlegroups.com.
To view this discussion on the web visit https://groups.google.com/d/msgid/django-users/CA%2B%3DMcKa4bcep3kd1TUf54RdXepgQvNuXAkYGsUHOCi%3DBAPC0Gw%40mail.gmail.com.
Posted by at

No comments:

Post a Comment

Subscribe to: Post Comments (Atom)