For the record, I'm not disagreeing with you. I don't know enough about the topic to understand whether or not the referer check actually provides another layer of security. I think the questions you're asking are good ones.
Josh On Wednesday, 4 February 2015 15:11:34 UTC+11, Jon Dufresne wrote: > > On Tue, Feb 3, 2015 at 7:09 PM, Josh Smeaton <[email protected] > <javascript:>> wrote: > > Just quickly, HSTS[0] and X-Frame-Options[1] are supported and > recommended > > in the security documentation already. As you point out though, HSTS > isn't > > yet a full solution, and, frankly, it scares me a little. Personally, I > > redirect the / path to HTTPS from HTTP and drop all other HTTP > connections. > > I think that enhances and is consistent with my existing question. > > If there are better mechanisms to secure against these attacks *and* > they are already recommended by Django, what is the CSRF REFERER check > doing that isn't already solved by these mechanisms? > > By using these other security mechanisms to secure against the attack, > developers can then use the meta referrer tag to help with users' > privacy. > > Cheers, > Jon > -- You received this message because you are subscribed to the Google Groups "Django developers (Contributions to Django itself)" group. To unsubscribe from this group and stop receiving emails from it, send an email to [email protected]. To post to this group, send email to [email protected]. Visit this group at http://groups.google.com/group/django-developers. To view this discussion on the web visit https://groups.google.com/d/msgid/django-developers/8eda6c7e-bcc4-4e88-ab54-bf3399f6b4b6%40googlegroups.com. For more options, visit https://groups.google.com/d/optout.
