diff options
Diffstat (limited to 'docs/ref')
| -rw-r--r-- | docs/ref/csrf.txt | 43 | ||||
| -rw-r--r-- | docs/ref/settings.txt | 16 |
2 files changed, 38 insertions, 21 deletions
diff --git a/docs/ref/csrf.txt b/docs/ref/csrf.txt index e9c402cf4d..dcd86c53ea 100644 --- a/docs/ref/csrf.txt +++ b/docs/ref/csrf.txt @@ -110,11 +110,12 @@ The above code could be simplified by using the `JavaScript Cookie library .. note:: - The CSRF token is also present in the DOM, but only if explicitly included - using :ttag:`csrf_token` in a template. The cookie contains the canonical - token; the ``CsrfViewMiddleware`` will prefer the cookie to the token in - the DOM. Regardless, you're guaranteed to have the cookie if the token is - present in the DOM, so you should use the cookie! + The CSRF token is also present in the DOM in a masked form, but only if + explicitly included using :ttag:`csrf_token` in a template. The cookie + contains the canonical, unmasked token. The + :class:`~django.middleware.csrf.CsrfViewMiddleware` will accept either. + However, in order to protect against `BREACH`_ attacks, it's recommended to + use a masked token. .. warning:: @@ -231,25 +232,21 @@ How it works The CSRF protection is based on the following things: -#. A CSRF cookie that is based on a random secret value, which other sites - will not have access to. +#. A CSRF cookie that is a random secret value, which other sites will not have + access to. - This cookie is set by ``CsrfViewMiddleware``. It is sent with every - response that has called ``django.middleware.csrf.get_token()`` (the - function used internally to retrieve the CSRF token), if it wasn't already - set on the request. + ``CsrfViewMiddleware`` sends this cookie with the response whenever + ``django.middleware.csrf.get_token()`` is called. It can also send it in + other cases. For security reasons, the value of the secret is changed each + time a user logs in. - In order to protect against `BREACH`_ attacks, the token is not simply the - secret; a random mask is prepended to the secret and used to scramble it. +#. A hidden form field with the name 'csrfmiddlewaretoken', present in all + outgoing POST forms. - For security reasons, the value of the secret is changed each time a - user logs in. - -#. A hidden form field with the name 'csrfmiddlewaretoken' present in all - outgoing POST forms. The value of this field is, again, the value of the - secret, with a mask which is both added to it and used to scramble it. The - mask is regenerated on every call to ``get_token()`` so that the form field - value is changed in every such response. + In order to protect against `BREACH`_ attacks, the value of this field is + not simply the secret. It is scrambled differently with each response using + a mask. The mask is generated randomly on every call to ``get_token()``, so + the form field value is different each time. This part is done by the template tag. @@ -294,6 +291,10 @@ The CSRF protection is based on the following things: ``Origin`` checking was added, as described above. +.. versionchanged:: 4.1 + + In older versions, the CSRF cookie value was masked. + This ensures that only forms that have originated from trusted domains can be used to POST data back. diff --git a/docs/ref/settings.txt b/docs/ref/settings.txt index 2a6f082842..54d9c992c9 100644 --- a/docs/ref/settings.txt +++ b/docs/ref/settings.txt @@ -347,6 +347,22 @@ form input <acquiring-csrf-token-from-html>` instead of :ref:`from the cookie See :setting:`SESSION_COOKIE_HTTPONLY` for details on ``HttpOnly``. +.. setting:: CSRF_COOKIE_MASKED + +``CSRF_COOKIE_MASKED`` +---------------------- + +.. versionadded:: 4.1 + +Default: ``False`` + +Whether to mask the CSRF cookie. See +:ref:`release notes <csrf-cookie-masked-usage>` for usage details. + +.. deprecated:: 4.1 + + This transitional setting is deprecated and will be removed in Django 5.0. + .. setting:: CSRF_COOKIE_NAME ``CSRF_COOKIE_NAME`` |
