They don't try to guess the CSRF directly, AIUI. They use a form field to affect their test.
The easiest solution I can see is the one mentioned in the document -- instead of outputting the raw value, output SALT || (SALT ^ TOKEN) so the actual value is never in the response, but it can be retrieved by simply xoring it with the salt. The salt is changed every request. -- Curtis Maloney On 7 August 2013 16:56, simonb <bno...@gmail.com> wrote: > How about requiring that if csrfmiddlewaretoken is set, no matter what > http method (GET, POST...), it is correct otherwise 403 response. > > Simon > > -- > You received this message because you are subscribed to the Google Groups > "Django developers" group. > To unsubscribe from this group and stop receiving emails from it, send an > email to django-developers+unsubscr...@googlegroups.com. > To post to this group, send email to django-developers@googlegroups.com. > Visit this group at http://groups.google.com/group/django-developers. > For more options, visit https://groups.google.com/groups/opt_out. > > > -- You received this message because you are subscribed to the Google Groups "Django developers" group. To unsubscribe from this group and stop receiving emails from it, send an email to django-developers+unsubscr...@googlegroups.com. To post to this group, send email to django-developers@googlegroups.com. Visit this group at http://groups.google.com/group/django-developers. For more options, visit https://groups.google.com/groups/opt_out.
