#33836: Incompatible default setting for CSRF_HEADER_NAME
-------------------------------------+-------------------------------------
Reporter: Matías Santurio | Owner: Matías
| Santurio
Type: Bug | Status: closed
Component: CSRF | Version: 4.0
Severity: Normal | Resolution: fixed
Keywords: CSRF settings | Triage Stage:
| Unreviewed
Has patch: 0 | Needs documentation: 0
Needs tests: 0 | Patch needs improvement: 0
Easy pickings: 0 | UI/UX: 0
-------------------------------------+-------------------------------------
Description changed by Matías Santurio:
Old description:
> The default setting for CSRF_HEADER_NAME is 'HTTP_X_CSRFTOKEN' which is
> incompatible with modern web application servers (including django
> development server), this is because it includes an underscore, which
> these servers don't allow since it can lead to 'header-spoofing'.
New description:
The default setting for CSRF_HEADER_NAME is 'HTTP_X_CSRFTOKEN' which is
incompatible with modern web application servers (including django
development server), this is because it includes an underscore, which
these servers don't allow since it can lead to 'header-spoofing'.
I found this on 4.0 but it's present in 4.1 and dev aswell.
--
--
Ticket URL: <https://code.djangoproject.com/ticket/33836#comment:3>
Django <https://code.djangoproject.com/>
The Web framework for perfectionists with deadlines.
--
You received this message because you are subscribed to the Google Groups
"Django updates" group.
To unsubscribe from this group and stop receiving emails from it, send an email
to [email protected].
To view this discussion on the web visit
https://groups.google.com/d/msgid/django-updates/01070181e6535829-2d7b2a60-4c1f-4da7-8445-98c5a6cbd190-000000%40eu-central-1.amazonses.com.
