I recently read the Coding Horror article Cross-Site Request Forgeries and You<http://www.codinghorror.com/blog/2008/09/cross-site-request-forgeries-and-you.html>, which suggests requiring an HTTP POST form submission for logging out. This same suggestion is implied in the Django book (chapter 16's "A Simple CSRF Example" section <http://www.djangobook.com/en/2.0/chapter16/#cn160>). Then I found Django ticket #7989 Logout view should require POST request<https://code.djangoproject.com/ticket/7989>. I think that the "secure by default" mentality should be applied here, just like how variables are escaped by default in templates (you have to explicitly say that you *don't* want them escaped).
Thoughts? -- You received this message because you are subscribed to the Google Groups "Django developers" group. To view this discussion on the web visit https://groups.google.com/d/msg/django-developers/-/M63QAbc3dKYJ. To post to this group, send email to django-developers@googlegroups.com. To unsubscribe from this group, send email to django-developers+unsubscr...@googlegroups.com. For more options, visit this group at http://groups.google.com/group/django-developers?hl=en.
