Paul's summary was - HTTPS, HSTS and validate Host header. I will add - you *must* also ensure there are no XSS vulnerabilities on your website.
If your website has a XSS vulnerability, there can be no CSRF protection. This is because XSS makes it possible to steal the csrf as well as session cookie. Now Django HTML escapes content by default. But you should be aware that this isn't sufficient to prevent XSS. For example, if you insert dynamic content as part of a html attribute, or as part of a javascript string - django's default protection isn't sufficient. Refer to the OWASP's XSS prevention cheat sheet - https://www.owasp.org/index.php/XSS_(Cross_Site_Scripting)_Prevention_Cheat_Sheet. The rules to escape content vary depending on where you insert dynamic content. Django's escaping is sufficient for Rule #1 in the cheatsheet. But it is NOT sufficient, and even incorrect, if you insert dynamic data in places such as HTML attributes or Javascript quoted strings or JSON objects. This isn't Django's limitation though. Templates cannot figure out the context in which the author is inserting dynamic content. So, in a nutshell, you should be careful -- You received this message because you are subscribed to the Google Groups "Django developers" group. To view this discussion on the web visit https://groups.google.com/d/msg/django-developers/-/CYSaXq9vNasJ. To post to this group, send email to django-developers@googlegroups.com. To unsubscribe from this group, send email to django-developers+unsubscr...@googlegroups.com. For more options, visit this group at http://groups.google.com/group/django-developers?hl=en.
