How does using nginx protect against CSRF attacks? Marten
On Tuesday, January 16, 2018 at 10:49:21 AM UTC+1, Etienne Robillard wrote: > > A much more practical way to improve security against XSRF attacks is > using nginx. > > Regards, > > Etienne > > Le 2018-01-16 à 04:38, James Bennett a écrit : > > If you can demonstrate a practical attack against Django's CSRF system, > feel free to email it to [email protected] <javascript:>. > > On Tue, Jan 16, 2018 at 1:26 AM, Etienne Robillard <[email protected] > <javascript:>> wrote: > >> Hi Stephan, >> >> I'm also interested to understand why I should have some form of CSRF >> protection for my wsgi app... >> >> perhaps recoding the Django 1.11 CSRF middleware into a proper WSGI >> application (CSRFController) would help. >> >> but seriously, i don't use/recommend the Django CSRF middleware because >> it does not improve security of forms processing. >> >> >> cheers, >> >> Etienne >> >> >> >> Le 2018-01-15 à 17:03, Stephan Doliov a écrit : >> >> Just curious, I recently went on a source code studying binge and took a >> look at the CSRF middleware that comes with Django. I appreciate the work >> and effort of the authors, but I am not sure I gain anything by deploying >> it to my site. Here is why: >> The middleware token assigned to a form and to a csrftoken cookie are >> ciphertexts of the same underlying key (by default, the underlying key is >> chosen as 32 randomly chosen (with replacement) chars from a set of 62 >> chars. So the easy workaround can be done in one of two ways >> >> 1) Write a script that just harvests the middleware token from a form >> "protected" with such token and use the value of that as the csrftoken >> cookie. >> As the middlewaretoken is a cipher of the underlying token, obviously >> using the the same string as the value to the csrftoken cookie will satisfy >> the middleware's demand for authorization of the resource (e.g. POSTing to >> the form) >> >> 2) Learn the easy cipher algorithm the csrf middleware uses and present a >> csrf token cookie that will decode to the right value. >> >> In either case, I am not convinced that meaningful protection against >> CSRF types of requests are provided by the middleware. Am I missing >> something? >> >> Wouldn't it be more secure to just have middleware that whitelists as a >> series of origins (aka CORS) and then, unlike CORS, actually perform >> reverse lookups on the dns of the whitelisted domains? (Of course, this >> assumes that the hosts that might want to make cross-site requests ahve >> access to managing their reverse DNS). >> >> Am I missing something; or, if serving performance is a top goal of mine, >> should I just ditch the csrf middleware? (and maybe rate limit client >> requests to prevent DoS attacks)? >> >> Thanks, >> Steve >> -- >> You received this message because you are subscribed to the Google Groups >> "Django users" group. >> To unsubscribe from this group and stop receiving emails from it, send an >> email to [email protected] <javascript:>. >> To post to this group, send email to [email protected] >> <javascript:>. >> Visit this group at https://groups.google.com/group/django-users. >> To view this discussion on the web visit >> https://groups.google.com/d/msgid/django-users/9c4a794f-aa9e-4c00-ba20-779ad7a87d2a%40googlegroups.com >> >> <https://groups.google.com/d/msgid/django-users/9c4a794f-aa9e-4c00-ba20-779ad7a87d2a%40googlegroups.com?utm_medium=email&utm_source=footer> >> . >> For more options, visit https://groups.google.com/d/optout. >> >> >> -- >> Etienne [email protected] >> <javascript:>https://www.isotopesoftware.ca/ >> >> -- >> You received this message because you are subscribed to the Google Groups >> "Django users" group. >> To unsubscribe from this group and stop receiving emails from it, send an >> email to [email protected] <javascript:>. >> To post to this group, send email to [email protected] >> <javascript:>. >> Visit this group at https://groups.google.com/group/django-users. >> To view this discussion on the web visit >> https://groups.google.com/d/msgid/django-users/95bba86c-ed2e-fd8d-e7da-2ec1b80c273c%40yandex.com >> >> <https://groups.google.com/d/msgid/django-users/95bba86c-ed2e-fd8d-e7da-2ec1b80c273c%40yandex.com?utm_medium=email&utm_source=footer>. >> >> >> >> For more options, visit https://groups.google.com/d/optout. >> > > -- > You received this message because you are subscribed to the Google Groups > "Django users" group. > To unsubscribe from this group and stop receiving emails from it, send an > email to [email protected] <javascript:>. > To post to this group, send email to [email protected] > <javascript:>. > Visit this group at https://groups.google.com/group/django-users. > To view this discussion on the web visit > https://groups.google.com/d/msgid/django-users/CAL13Cg9mhBTD-2CBB46cvv2N6gd0JzHA8g5o%2BgrG5ZrAmb-%3Dgg%40mail.gmail.com > > <https://groups.google.com/d/msgid/django-users/CAL13Cg9mhBTD-2CBB46cvv2N6gd0JzHA8g5o%2BgrG5ZrAmb-%3Dgg%40mail.gmail.com?utm_medium=email&utm_source=footer> > . > For more options, visit https://groups.google.com/d/optout. > > > -- > Etienne [email protected] > <javascript:>https://www.isotopesoftware.ca/ > > -- You received this message because you are subscribed to the Google Groups "Django users" group. To unsubscribe from this group and stop receiving emails from it, send an email to [email protected]. To post to this group, send email to [email protected]. Visit this group at https://groups.google.com/group/django-users. To view this discussion on the web visit https://groups.google.com/d/msgid/django-users/27709494-b4ba-4588-85cd-3babf18b8afa%40googlegroups.com. For more options, visit https://groups.google.com/d/optout.
