summaryrefslogtreecommitdiff
path: root/docs/ref/csrf.txt
AgeCommit message (Collapse)Author
2020-10-07Fixed #32065 -- Restored leading dot to CSRF_COOKIE_DOMAIN examples.Carlton Gibson
Partially reverts afd375fc343baa46e61036087bc43b3d096bb0ca. Thanks to Tim Graham for review.
2020-06-24Refs #31493 -- Replaced var with const/let in documentation JS.Adam Johnson
2020-04-01Prevented (and corrected) single backtick usage in docs.Adam Johnson
2020-02-25Fixed #31291 -- Renamed salt to mask for CSRF tokens.Ram Rachum
2019-12-12Rewrote CSRF JavaScript example without jQuery.Jon Dufresne
2019-12-11Fixed #31080 -- Removed redundant type="text/javascript" attribute from ↵Jon Dufresne
<script> tags.
2019-11-27Fixed #31029 -- Used more specific links to RFCs.Baptiste Mispelon
2019-09-06Fixed #30573 -- Rephrased documentation to avoid words that minimise the ↵Tobias Kunze
involved difficulty. This patch does not remove all occurrences of the words in question. Rather, I went through all of the occurrences of the words listed below, and judged if they a) suggested the reader had some kind of knowledge/experience, and b) if they added anything of value (including tone of voice, etc). I left most of the words alone. I looked at the following words: - simply/simple - easy/easier/easiest - obvious - just - merely - straightforward - ridiculous Thanks to Carlton Gibson for guidance on how to approach this issue, and to Tim Bell for providing the idea. But the enormous lion's share of thanks go to Adam Johnson for his patient and helpful review.
2019-03-28Fixed #30299 -- Removed jQuery dependency from getCookie() in CSRF docs.Tim Graham
2018-11-15Used auto-numbered lists in documentation.François Freitag
2018-10-25Fixed #29879 -- Added CSRF_COOKIE_HTTPONLY to CSRF AJAX docs.Mayank Singhal
2018-10-18Fixed #29858 -- Clarified docs regarding CSRF token header name.Tim Graham
2018-07-18Removed duplicate words in docs.Maxime Lorant
.
2018-05-12Alphabetized imports in various docs.Mariusz Felisiak
Follow-up of d97cce34096043b019e818a7fb98c0f9f073704c and 7d3fe36c626a3268413eb86d37920f132eb4a54f.
2018-05-02Fixed #29375 -- Removed empty action attribute on HTML forms.CHI Cheng
2018-04-13Fixed #27863 -- Added support for the SameSite cookie flag.Alex Gaynor
Thanks Alex Gaynor for contributing to the patch.
2017-09-22Removed versionadded/changed annotations for 1.11.Tim Graham
2017-06-22Refs #16870 -- Doc'd that CSRF protection requires the Referer header.Flávio Juvenal
2017-05-22Updated various links in docs to avoid redirectsClaude Paroz
Thanks Tim Graham and Mariusz Felisiak for review and completion.
2017-01-20Refs #16859 -- Updated CSRF FAQ to mention CSRF_USE_SESSIONS setting.Alasdair Nicol
2017-01-17Removed versionadded/changed annotations for 1.10.Tim Graham
2016-11-30Refs #16859 -- Allowed storing CSRF tokens in sessions.Raphael Michel
Major thanks to Shai for helping to refactor the tests, and to Shai, Tim, Florian, and others for extensive and helpful review.
2016-06-28Used strict comparison in docs/ref/csrf.txt's JavaScript.Camilo Nova
2016-06-04Fixed #26628 -- Changed CSRF logger to django.security.csrf.Holly Becker
2016-06-03Fixed #26596 -- Added Jinja2 {{ csrf_input }} documentation.B. J. Potter
2016-06-03Added syntax highlighting to CSRF example.B. J. Potter
2016-06-02Refs #26628 -- Documented CSRF failure logging.Holly Becker
2016-05-20Removed versionadded/changed annotations for 1.9.Tim Graham
2016-05-19Fixed #20869 -- made CSRF tokens change every request by salt-encrypting themShai Berger
Note that the cookie is not changed every request, just the token retrieved by the `get_token()` method (used also by the `{% csrf_token %}` tag). While at it, made token validation strict: Where, before, any length was accepted and non-ASCII chars were ignored, we now treat anything other than `[A-Za-z0-9]{64}` as invalid (except for 32-char tokens, which, for backwards-compatibility, are accepted and replaced by 64-char ones). Thanks Trac user patrys for reporting, github user adambrenecki for initial patch, Tim Graham for help, and Curtis Maloney, Collin Anderson, Florian Apolloner, Markus Holtermann & Jon Dufresne for reviews.
2016-05-17Fixed #26601 -- Improved middleware per DEP 0005.Florian Apolloner
Thanks Tim Graham for polishing the patch, updating the tests, and writing documentation. Thanks Carl Meyer for shepherding the DEP.
2016-05-03Fixed #26567 -- Updated references to obsolete RFC2616.Vasiliy Faronov
Didn't touch comments where it wasn't obvious that the code adhered to the newer standard.
2016-04-05Fixed #26201 -- Documented the consequences of rotating the CSRF token on login.Vaclav Ehrlich
2016-03-01Fixed #26165 -- Added some FAQs about CSRF protection.acemaster
Thanks Florian Apolloner and Shai Berger for review.
2016-02-09Fixed #26181 -- Corrected AngularJS CSRF example.userimack
2016-01-21Changed `action="."` to `action=""` in tests and docs.Luke Plant
`action="."` strips query parameters from the URL which is not usually what you want. Copy-paste coding of these examples could lead to difficult to track down bugs or even data loss if the query parameter was meant to alter the scope of a form's POST request.
2016-01-15Added docs about configuring CSRF support in AngularJS.Danilo Bargen
2015-12-23Fixed #25969 -- Replaced render_to_response() with render() in docs examples.Tim Graham
2015-12-01Fixed #25778 -- Updated docs links to use https when available.Jon Dufresne
2015-11-16Fixed #25755 -- Unified spelling of "website".Agnieszka Lasyk
2015-09-16Fixed #24496 -- Added CSRF Referer checking against CSRF_COOKIE_DOMAIN.Matt Robenolt
Thanks Seth Gottlieb for help with the documentation and Carl Meyer and Joshua Kehn for reviews.
2015-09-05Fixed #25334 -- Provided a way to allow cross-origin unsafe requests over HTTPS.Joshua Kehn
Added the CSRF_TRUSTED_ORIGINS setting which contains a list of other domains that are included during the CSRF Referer header verification for secure (HTTPS) requests.
2015-08-19Recommended the JavaScript Cookie library instead of jQuery cookie.Marc
jQuery cookie is no longer maintained in favor of the JavaScript cookie library. This also removes the jQuery dependency.
2015-05-01Updated capitalization in the word "JavaScript" for consistencyDave Hodder
2015-03-05Fixed #21495 -- Added settings.CSRF_HEADER_NAMEGrzegorz Slusarek
2014-12-28Deprecated TEMPLATE_CONTEXT_PROCESSORS.Aymeric Augustin
2014-12-28Moved context_processors from django.core to django.template.Aymeric Augustin
2014-11-15Fixed #23825 -- Added links for decorating class-based views to the CSRF docs.Fabio Natali
2014-11-03Moved CSRF docs out of contrib.Thomas Chaumeny