summaryrefslogtreecommitdiff
path: root/docs/ref/csrf.txt
AgeCommit message (Collapse)Author
2019-03-28[2.2.x] Fixed #30299 -- Removed jQuery dependency from getCookie() in CSRF docs.Tim Graham
Backport of 8e675e2bd8366adf5d0b579accfef75a7b1bc3bf from master
2018-11-15Used auto-numbered lists in documentation.François Freitag
2018-10-25Fixed #29879 -- Added CSRF_COOKIE_HTTPONLY to CSRF AJAX docs.Mayank Singhal
2018-10-18Fixed #29858 -- Clarified docs regarding CSRF token header name.Tim Graham
2018-07-18Removed duplicate words in docs.Maxime Lorant
.
2018-05-12Alphabetized imports in various docs.Mariusz Felisiak
Follow-up of d97cce34096043b019e818a7fb98c0f9f073704c and 7d3fe36c626a3268413eb86d37920f132eb4a54f.
2018-05-02Fixed #29375 -- Removed empty action attribute on HTML forms.CHI Cheng
2018-04-13Fixed #27863 -- Added support for the SameSite cookie flag.Alex Gaynor
Thanks Alex Gaynor for contributing to the patch.
2017-09-22Removed versionadded/changed annotations for 1.11.Tim Graham
2017-06-22Refs #16870 -- Doc'd that CSRF protection requires the Referer header.Flávio Juvenal
2017-05-22Updated various links in docs to avoid redirectsClaude Paroz
Thanks Tim Graham and Mariusz Felisiak for review and completion.
2017-01-20Refs #16859 -- Updated CSRF FAQ to mention CSRF_USE_SESSIONS setting.Alasdair Nicol
2017-01-17Removed versionadded/changed annotations for 1.10.Tim Graham
2016-11-30Refs #16859 -- Allowed storing CSRF tokens in sessions.Raphael Michel
Major thanks to Shai for helping to refactor the tests, and to Shai, Tim, Florian, and others for extensive and helpful review.
2016-06-28Used strict comparison in docs/ref/csrf.txt's JavaScript.Camilo Nova
2016-06-04Fixed #26628 -- Changed CSRF logger to django.security.csrf.Holly Becker
2016-06-03Fixed #26596 -- Added Jinja2 {{ csrf_input }} documentation.B. J. Potter
2016-06-03Added syntax highlighting to CSRF example.B. J. Potter
2016-06-02Refs #26628 -- Documented CSRF failure logging.Holly Becker
2016-05-20Removed versionadded/changed annotations for 1.9.Tim Graham
2016-05-19Fixed #20869 -- made CSRF tokens change every request by salt-encrypting themShai Berger
Note that the cookie is not changed every request, just the token retrieved by the `get_token()` method (used also by the `{% csrf_token %}` tag). While at it, made token validation strict: Where, before, any length was accepted and non-ASCII chars were ignored, we now treat anything other than `[A-Za-z0-9]{64}` as invalid (except for 32-char tokens, which, for backwards-compatibility, are accepted and replaced by 64-char ones). Thanks Trac user patrys for reporting, github user adambrenecki for initial patch, Tim Graham for help, and Curtis Maloney, Collin Anderson, Florian Apolloner, Markus Holtermann & Jon Dufresne for reviews.
2016-05-17Fixed #26601 -- Improved middleware per DEP 0005.Florian Apolloner
Thanks Tim Graham for polishing the patch, updating the tests, and writing documentation. Thanks Carl Meyer for shepherding the DEP.
2016-05-03Fixed #26567 -- Updated references to obsolete RFC2616.Vasiliy Faronov
Didn't touch comments where it wasn't obvious that the code adhered to the newer standard.
2016-04-05Fixed #26201 -- Documented the consequences of rotating the CSRF token on login.Vaclav Ehrlich
2016-03-01Fixed #26165 -- Added some FAQs about CSRF protection.acemaster
Thanks Florian Apolloner and Shai Berger for review.
2016-02-09Fixed #26181 -- Corrected AngularJS CSRF example.userimack
2016-01-21Changed `action="."` to `action=""` in tests and docs.Luke Plant
`action="."` strips query parameters from the URL which is not usually what you want. Copy-paste coding of these examples could lead to difficult to track down bugs or even data loss if the query parameter was meant to alter the scope of a form's POST request.
2016-01-15Added docs about configuring CSRF support in AngularJS.Danilo Bargen
2015-12-23Fixed #25969 -- Replaced render_to_response() with render() in docs examples.Tim Graham
2015-12-01Fixed #25778 -- Updated docs links to use https when available.Jon Dufresne
2015-11-16Fixed #25755 -- Unified spelling of "website".Agnieszka Lasyk
2015-09-16Fixed #24496 -- Added CSRF Referer checking against CSRF_COOKIE_DOMAIN.Matt Robenolt
Thanks Seth Gottlieb for help with the documentation and Carl Meyer and Joshua Kehn for reviews.
2015-09-05Fixed #25334 -- Provided a way to allow cross-origin unsafe requests over HTTPS.Joshua Kehn
Added the CSRF_TRUSTED_ORIGINS setting which contains a list of other domains that are included during the CSRF Referer header verification for secure (HTTPS) requests.
2015-08-19Recommended the JavaScript Cookie library instead of jQuery cookie.Marc
jQuery cookie is no longer maintained in favor of the JavaScript cookie library. This also removes the jQuery dependency.
2015-05-01Updated capitalization in the word "JavaScript" for consistencyDave Hodder
2015-03-05Fixed #21495 -- Added settings.CSRF_HEADER_NAMEGrzegorz Slusarek
2014-12-28Deprecated TEMPLATE_CONTEXT_PROCESSORS.Aymeric Augustin
2014-12-28Moved context_processors from django.core to django.template.Aymeric Augustin
2014-11-15Fixed #23825 -- Added links for decorating class-based views to the CSRF docs.Fabio Natali
2014-11-03Moved CSRF docs out of contrib.Thomas Chaumeny