That does seem to be a good effort towards CSRF prevention. However, it's currently in draft status, and doesn't provide any protection if not supported by your browser. According to caniuse.com[1], the browsers supporting this feature currently occupy just under 60% of the browser market. About 40% of users would still be vulnerable to CSRF attacks. IMO that's too large a chunk of users to leave unprotected.
When this feature reaches maturity it will likely be a good option to combat CSRF, but right now it doesn't provide adequate protection on its own. Django's CSRF middleware does provide protection for the remaining 40%. Marten [1] https://caniuse.com/#search=samesite On Tuesday, January 16, 2018 at 6:19:17 PM UTC+1, Etienne Robillard wrote: > > See this: https://www.owasp.org/index.php/SameSite > > Cheers, > > Etienne > > Le 2018-01-16 à 10:36, knbk a écrit : > > How does using nginx protect against CSRF attacks? > > Marten > > On Tuesday, January 16, 2018 at 10:49:21 AM UTC+1, Etienne Robillard > wrote: >> >> A much more practical way to improve security against XSRF attacks is >> using nginx. >> >> Regards, >> >> Etienne >> >> Le 2018-01-16 à 04:38, James Bennett a écrit : >> >> If you can demonstrate a practical attack against Django's CSRF system, >> feel free to email it to [email protected]. >> >> On Tue, Jan 16, 2018 at 1:26 AM, Etienne Robillard <[email protected]> >> wrote: >> >>> Hi Stephan, >>> >>> I'm also interested to understand why I should have some form of CSRF >>> protection for my wsgi app... >>> >>> perhaps recoding the Django 1.11 CSRF middleware into a proper WSGI >>> application (CSRFController) would help. >>> >>> but seriously, i don't use/recommend the Django CSRF middleware because >>> it does not improve security of forms processing. >>> >>> >>> cheers, >>> >>> Etienne >>> >>> >>> >>> Le 2018-01-15 à 17:03, Stephan Doliov a écrit : >>> >>> Just curious, I recently went on a source code studying binge and took a >>> look at the CSRF middleware that comes with Django. I appreciate the work >>> and effort of the authors, but I am not sure I gain anything by deploying >>> it to my site. Here is why: >>> The middleware token assigned to a form and to a csrftoken cookie are >>> ciphertexts of the same underlying key (by default, the underlying key is >>> chosen as 32 randomly chosen (with replacement) chars from a set of 62 >>> chars. So the easy workaround can be done in one of two ways >>> >>> 1) Write a script that just harvests the middleware token from a form >>> "protected" with such token and use the value of that as the csrftoken >>> cookie. >>> As the middlewaretoken is a cipher of the underlying token, obviously >>> using the the same string as the value to the csrftoken cookie will satisfy >>> the middleware's demand for authorization of the resource (e.g. POSTing to >>> the form) >>> >>> 2) Learn the easy cipher algorithm the csrf middleware uses and present >>> a csrf token cookie that will decode to the right value. >>> >>> In either case, I am not convinced that meaningful protection against >>> CSRF types of requests are provided by the middleware. Am I missing >>> something? >>> >>> Wouldn't it be more secure to just have middleware that whitelists as a >>> series of origins (aka CORS) and then, unlike CORS, actually perform >>> reverse lookups on the dns of the whitelisted domains? (Of course, this >>> assumes that the hosts that might want to make cross-site requests ahve >>> access to managing their reverse DNS). >>> >>> Am I missing something; or, if serving performance is a top goal of >>> mine, should I just ditch the csrf middleware? (and maybe rate limit client >>> requests to prevent DoS attacks)? >>> >>> Thanks, >>> Steve >>> -- >>> You received this message because you are subscribed to the Google >>> Groups "Django users" group. >>> To unsubscribe from this group and stop receiving emails from it, send >>> an email to [email protected]. >>> To post to this group, send email to [email protected]. >>> Visit this group at https://groups.google.com/group/django-users. >>> To view this discussion on the web visit >>> https://groups.google.com/d/msgid/django-users/9c4a794f-aa9e-4c00-ba20-779ad7a87d2a%40googlegroups.com >>> >>> <https://groups.google.com/d/msgid/django-users/9c4a794f-aa9e-4c00-ba20-779ad7a87d2a%40googlegroups.com?utm_medium=email&utm_source=footer> >>> . >>> For more options, visit https://groups.google.com/d/optout. >>> >>> >>> -- >>> Etienne [email protected]https://www.isotopesoftware.ca/ >>> >>> -- >>> You received this message because you are subscribed to the Google >>> Groups "Django users" group. >>> To unsubscribe from this group and stop receiving emails from it, send >>> an email to [email protected]. >>> To post to this group, send email to [email protected]. >>> Visit this group at https://groups.google.com/group/django-users. >>> To view this discussion on the web visit >>> https://groups.google.com/d/msgid/django-users/95bba86c-ed2e-fd8d-e7da-2ec1b80c273c%40yandex.com >>> >>> <https://groups.google.com/d/msgid/django-users/95bba86c-ed2e-fd8d-e7da-2ec1b80c273c%40yandex.com?utm_medium=email&utm_source=footer>. >>> >>> >>> >>> For more options, visit https://groups.google.com/d/optout. >>> >> >> -- >> You received this message because you are subscribed to the Google Groups >> "Django users" group. >> To unsubscribe from this group and stop receiving emails from it, send an >> email to [email protected]. >> To post to this group, send email to [email protected]. >> Visit this group at https://groups.google.com/group/django-users. >> To view this discussion on the web visit >> https://groups.google.com/d/msgid/django-users/CAL13Cg9mhBTD-2CBB46cvv2N6gd0JzHA8g5o%2BgrG5ZrAmb-%3Dgg%40mail.gmail.com >> >> <https://groups.google.com/d/msgid/django-users/CAL13Cg9mhBTD-2CBB46cvv2N6gd0JzHA8g5o%2BgrG5ZrAmb-%3Dgg%40mail.gmail.com?utm_medium=email&utm_source=footer> >> . >> For more options, visit https://groups.google.com/d/optout. >> >> >> -- >> Etienne [email protected]https://www.isotopesoftware.ca/ >> >> -- > You received this message because you are subscribed to the Google Groups > "Django users" group. > To unsubscribe from this group and stop receiving emails from it, send an > email to [email protected] <javascript:>. > To post to this group, send email to [email protected] > <javascript:>. > Visit this group at https://groups.google.com/group/django-users. > To view this discussion on the web visit > https://groups.google.com/d/msgid/django-users/27709494-b4ba-4588-85cd-3babf18b8afa%40googlegroups.com > > <https://groups.google.com/d/msgid/django-users/27709494-b4ba-4588-85cd-3babf18b8afa%40googlegroups.com?utm_medium=email&utm_source=footer> > . > For more options, visit https://groups.google.com/d/optout. > > > -- > Etienne [email protected] > <javascript:>https://www.isotopesoftware.ca/ > > -- You received this message because you are subscribed to the Google Groups "Django users" group. To unsubscribe from this group and stop receiving emails from it, send an email to [email protected]. To post to this group, send email to [email protected]. Visit this group at https://groups.google.com/group/django-users. To view this discussion on the web visit https://groups.google.com/d/msgid/django-users/da9363e9-c3fc-4446-a3a0-a692c2945852%40googlegroups.com. For more options, visit https://groups.google.com/d/optout.
