From 5b09354954348f1a56df32b2d7dbe074a23a4532 Mon Sep 17 00:00:00 2001 From: Ram Rachum Date: Tue, 25 Feb 2020 15:16:19 +0200 Subject: Fixed #31291 -- Renamed salt to mask for CSRF tokens. --- docs/ref/csrf.txt | 6 +++--- 1 file changed, 3 insertions(+), 3 deletions(-) (limited to 'docs/ref') diff --git a/docs/ref/csrf.txt b/docs/ref/csrf.txt index 72277415af..7e2a5d45d0 100644 --- a/docs/ref/csrf.txt +++ b/docs/ref/csrf.txt @@ -239,15 +239,15 @@ The CSRF protection is based on the following things: set on the request. In order to protect against `BREACH`_ attacks, the token is not simply the - secret; a random salt is prepended to the secret and used to scramble it. + secret; a random mask is prepended to the secret and used to scramble it. For security reasons, the value of the secret is changed each time a user logs in. #. A hidden form field with the name 'csrfmiddlewaretoken' present in all outgoing POST forms. The value of this field is, again, the value of the - secret, with a salt which is both added to it and used to scramble it. The - salt is regenerated on every call to ``get_token()`` so that the form field + secret, with a mask which is both added to it and used to scramble it. The + mask is regenerated on every call to ``get_token()`` so that the form field value is changed in every such response. This part is done by the template tag. -- cgit v1.3