On Tue, Feb 3, 2015 at 7:09 PM, Josh Smeaton <josh.smea...@gmail.com> wrote: > Just quickly, HSTS[0] and X-Frame-Options[1] are supported and recommended > in the security documentation already. As you point out though, HSTS isn't > yet a full solution, and, frankly, it scares me a little. Personally, I > redirect the / path to HTTPS from HTTP and drop all other HTTP connections.
I think that enhances and is consistent with my existing question. If there are better mechanisms to secure against these attacks *and* they are already recommended by Django, what is the CSRF REFERER check doing that isn't already solved by these mechanisms? By using these other security mechanisms to secure against the attack, developers can then use the meta referrer tag to help with users' privacy. Cheers, Jon -- You received this message because you are subscribed to the Google Groups "Django developers (Contributions to Django itself)" group. To unsubscribe from this group and stop receiving emails from it, send an email to django-developers+unsubscr...@googlegroups.com. To post to this group, send email to django-developers@googlegroups.com. Visit this group at http://groups.google.com/group/django-developers. To view this discussion on the web visit https://groups.google.com/d/msgid/django-developers/CADhq2b7D2m%2BD4TJ%2BVF8XaeDFQ%3Dtfn2wdE4BFXzWWkhpFALyiMw%40mail.gmail.com. For more options, visit https://groups.google.com/d/optout.
