diff options
Diffstat (limited to 'docs/ref')
| -rw-r--r-- | docs/ref/csrf.txt | 4 | ||||
| -rw-r--r-- | docs/ref/settings.txt | 18 |
2 files changed, 21 insertions, 1 deletions
diff --git a/docs/ref/csrf.txt b/docs/ref/csrf.txt index 590990571f..ba24339a78 100644 --- a/docs/ref/csrf.txt +++ b/docs/ref/csrf.txt @@ -257,7 +257,8 @@ The CSRF protection is based on the following things: due to the fact that HTTP 'Set-Cookie' headers are (unfortunately) accepted by clients that are talking to a site under HTTPS. (Referer checking is not done for HTTP requests because the presence of the Referer header is not - reliable enough under HTTP.) + reliable enough under HTTP.) Expanding the accepted referers beyond the + current host can be done with the :setting:`CSRF_TRUSTED_ORIGINS` setting. This ensures that only forms that have originated from your Web site can be used to POST data back. @@ -460,3 +461,4 @@ A number of settings can be used to control Django's CSRF behavior: * :setting:`CSRF_COOKIE_SECURE` * :setting:`CSRF_FAILURE_VIEW` * :setting:`CSRF_HEADER_NAME` +* :setting:`CSRF_TRUSTED_ORIGINS` diff --git a/docs/ref/settings.txt b/docs/ref/settings.txt index 217f54281d..ed5ac98947 100644 --- a/docs/ref/settings.txt +++ b/docs/ref/settings.txt @@ -428,6 +428,23 @@ any hyphens with underscores, and adding an ``'HTTP_'`` prefix to the name. For example, if your client sends a ``'X-XSRF-TOKEN'`` header, the setting should be ``'HTTP_X_XSRF_TOKEN'``. +.. setting:: CSRF_TRUSTED_ORIGINS + +CSRF_TRUSTED_ORIGINS +-------------------- + +.. versionadded:: 1.9 + +Default: ``[]`` (Empty list) + +A list of hosts which are trusted origins for unsafe requests (e.g. ``POST``). +For a :meth:`secure <django.http.HttpRequest.is_secure>` unsafe +request, Django's CSRF protection requires that the request have a ``Referer`` +header that matches the origin present in the ``Host`` header. This prevents, +for example, a ``POST`` request from ``subdomain.example.com`` from succeeding +against ``api.example.com``. If you need cross-origin unsafe requests over +HTTPS, continuing the example, add ``"subdomain.example.com"`` to this list. + .. setting:: DATABASES DATABASES @@ -3374,6 +3391,7 @@ Security * :setting:`CSRF_COOKIE_SECURE` * :setting:`CSRF_FAILURE_VIEW` * :setting:`CSRF_HEADER_NAME` + * :setting:`CSRF_TRUSTED_ORIGINS` * :setting:`SECRET_KEY` * :setting:`X_FRAME_OPTIONS` |
