On Mon, 17 Apr 2023, at 04:25, 'Ryan Hiebert' via Django developers (Contributions to Django itself) wrote: > I've recently been working with other new frameworks, particularly Remix. > Coming from Django, which has had excellent CSRF for many years, one of my > first questions was how to handle CSRF protection. And the response I got > lead me to the "Lax" SameSite cookie parameter, and that I really wouldn't > need more than that for the session cookie.
I think I missed a detail here. What problem are you having with using CSRF? What response did you get? Was it different to what's in the Django docs here ? https://docs.djangoproject.com/en/4.2/howto/csrf/#using-csrf-protection-with-ajax > > It appears that Django has defaulted the session cookie to `Lax` since the > SESSION_COOKIE_SAMESITE parameter was added in Django 2.1. All current > browsers seem to have supported it since 2019. Is it time for us to remove > the CSRF Middleware from the default settings template file? Are you implying that all CSRF attacks protected by Django's current machinery are entirely mitigated by SameSite=Lax on the _session_ cookiue? -- Curtis -- You received this message because you are subscribed to the Google Groups "Django developers (Contributions to Django itself)" group. To unsubscribe from this group and stop receiving emails from it, send an email to django-developers+unsubscr...@googlegroups.com. To view this discussion on the web visit https://groups.google.com/d/msgid/django-developers/2398009a-928d-444e-888e-ed901f2b55de%40app.fastmail.com.
