#34182: Is there a reason only the headers are checked when using the csrf
token?
--------------------------------------------+------------------------------
Reporter: Joon Hwan 김준환 | Owner: nobody
Type: New feature | Status: new
Component: CSRF | Version: dev
Severity: Normal | Keywords: csrf, cookie
Triage Stage: Unreviewed | Has patch: 0
Needs documentation: 0 | Needs tests: 0
Patch needs improvement: 0 | Easy pickings: 0
UI/UX: 0 |
--------------------------------------------+------------------------------
It seems unnatural to put the token back in the body while using the
httponly option.
If verify with a cookie (not x-csrftoken header), security is enhanced and
it looks much cleaner.
--
Ticket URL: <https://code.djangoproject.com/ticket/34182>
Django <https://code.djangoproject.com/>
The Web framework for perfectionists with deadlines.
--
You received this message because you are subscribed to the Google Groups
"Django updates" group.
To unsubscribe from this group and stop receiving emails from it, send an email
to [email protected].
To view this discussion on the web visit
https://groups.google.com/d/msgid/django-updates/01070184ac765eac-436e12c1-3cba-472c-8511-fe8d55a25dd5-000000%40eu-central-1.amazonses.com.
