Quick Links

[PATCH] Enable CsrfViewMiddleware -- make CSRF protection required by default

From:	Marti Raudsepp <marti(at)juffo(dot)org>
To:	pgsql-www <pgsql-www(at)postgresql(dot)org>
Subject:	[PATCH] Enable CsrfViewMiddleware -- make CSRF protection required by default
Date:	2012-10-30 20:54:36
Message-ID:	CABRT9RCR=ZmFcVEoSyGRtPNPNP1W+6esp3RwXqipWGU23oJjYg@mail.gmail.com
Views:	Raw Message \| Whole Thread \| Download mbox \| Resend email
Thread:
Lists:	pgsql-www

Hi list,

I noticed that most of the forms on the Postgres community site don't
use CSRF protection. That's bad -- CSRF should be on by default.

I went through all the views that handle POST data and didn't find any
that should handle input from cross-domain requests. But CSRF
exceptions, if any, should be decorated with @csrf_exempt (from
django.views.decorators.csrf).

Also available from my Github repo: https://github.com/intgr/pgweb

Regards,
Marti

Attachment	Content-Type	Size
0001-Enable-CsrfViewMiddleware-make-CSRF-protection-requi.patch	application/octet-stream	4.2 KB

Responses

Re: [PATCH] Enable CsrfViewMiddleware -- make CSRF protection required by default at 2012-10-31 17:29:52 from Magnus Hagander

Browse pgsql-www by date

	From	Date	Subject
Next Message	Kevin Grittner	2012-10-30 21:55:37	Community profile ssh keys not making it to git
Previous Message	Devrim GÜNDÜZ	2012-10-29 21:22:38	people.planetpostgresql.org will be down for maintenance