On Sep 22, 10:25 pm, Simon Willison <[EMAIL PROTECTED]> wrote: > CSRF[1] is one of the most common web application vulnerabilities, but > continues to have very poor awareness in the developer community. > Django ships with CSRF protection in the form of middleware, but it's > off by default. I'm willing to bet most people don't turn it on.
I agree that a middleware is the wrong place for this. And I'll definately have to implement some kind of CSRF protection some time in the future. I like it! > Why not build this in to django.forms.Form directly? Because CSRF is > only an issue for forms that are supposed to only be used by > authenticated users. Forms that don't require a cookie don't need to > be protected. I'd protect all my forms if there's a neat way to do it. Why would it only apply to logged-in users? I'm not using contrib.auth. Jan --~--~---------~--~----~------------~-------~--~----~ You received this message because you are subscribed to the Google Groups "Django developers" group. To post to this group, send email to django-developers@googlegroups.com To unsubscribe from this group, send email to [EMAIL PROTECTED] For more options, visit this group at http://groups.google.com/group/django-developers?hl=en -~----------~----~----~----~------~----~------~--~---
